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Plaintiff and Counter-Defendant Intertrust Technologies Corporation ("Intertrust") and 
Defendant and Counter-Claimant Microsoft Corporation ("Microsoft") submit the following 
Joint Claim Construction and Prehearing Statement in accordance with Patent Local Rule 4-3. 

RULE 4-3(a) and (b) 

Claim terms and phrases on which the parties agree are listed at the beginning of Exhibit 
B, attached. 

RULE 4-3(b) 

Attached hereto as Exhibit A is Microsoft's presentation of disputed claim terms 
and Microsoft's proposed constructions. Attached hereto as Exhibit B is InterTrust's 
presentation of disputed claim terms and InterTrust's proposed constructions. The parties are 
discussing a joint presentation that would present each party's position on all disputed terms in a 
side-by-side format. If the parties reach agreement on such a submission, the parties will provide 
that submission to the Court as a substitute for the attached Exhibits A and B. 

Attached hereto as Exhibit C is InterTrust's identification of intrinsic and 
extrinsic evidence supporting InterTrust's proposed construction for each disputed term and 
phrase. 

Attached hereto as Exhibit D is Microsoft's identification of intrinsic and 
extrinsic evidence supporting Microsoft's proposed construction for each disputed term and 
phrase. 

Attached hereto as Exhibit E is a Microsoft statement of reservations. 

RULE 4-3(c) 

The Court has set aside three days for the Claim Construction Hearing. 

RULE 4-3(d) 

Attached hereto as Exhibit F is a summary of expert testimony to be presented by 
InterTrust. Attached hereto as Exhibit G is a summary of expert testimony to be presented by 
Microsoft. 

RULE4-3(e) 

Following is a list of other issues the parties believe might appropriately be taken 
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up at the Case Management Conference hearing set for February 13, or such other prehearing 
conference as the Court may wish to schedule. Substantive argument on these issues is set forth 
in the Joint Case Management Conference Statement filed concurrently herewith. 

A. Issues upon which the parties agree: 

1 . Live expert testimony should not be presented. Each party will undertake its best 
efforts to have its above-designated expert(s) present at the hearing to respond to 
questions from the Court. 

2. Each party will undertake its best efforts to have its declarants available for deposition 
within one week of submitting Claim Construction or indefiniteness summary judgment 
declarations. 

3. Normal briefing page limits should be doubled for the Claim Construction briefs. 

4. There will be no post-hearing briefing, except at the request of the Court. 

B. Issues which the parties agree should be taken up at the Case Management Conference, but as 
to which the parties do not agree on substance: 

1 . The number of claim construction briefs to be filed by the parties. 

2. Format of the Claim Construction Hearing. 

a. Whether the parties should present tutorials, and, if so, the length and format of 
such a tutorial. 

b. Whether the parties should present a non-tutorial opening statement. 

c. The format and ordering of substantive argument on disputed claim language. 

d. Whether the currently scheduled Mini-Markman proceeding should be devoted 
to all of the disputed terms and phrases from the 12 selected patent claims, or a 
subset. 
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3. Whether other issues should be addressed during the Claim Construction Hearing. 

a. The anticipated Microsoft motion for summary judgment of indefiniteness, 
referenced in the Court's Further Case Management Order of November 6, 2002. 

b. Whether certain material said to be "incorporated by reference" into several of 
the asserted patents, does or does not constitute part of the "specification" of those 
patents for claim construction purposes. 

c. Other evidentiary disputes related to the Claim Construction Hearing. 

C. Issues Microsoft intends to raise at the Case Management Conference, but which InterTrust 
believes are not appropriate for that conference: 

1 . Claim construction and claim indefiniteness discovery disputes. 

2. The scope of the stay entered by the court. * 



Dated: February 3, 2003 



By: 




MICHAEL H. PAGE 



Dated: February 3, 2003 



By: 



Attorneys for IntertmsTtbchnologies 
Corporation / \ 



ORRICK HERRINGTONA SUTCLBFEE 



fiRJC L. WESEhlBERG ~~ 
Attorneys for Microsoft Corporation 
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Exhibit A: Claim Chart 



Exhibit A contains Microsoft's Preliminary Claim Construction. The chart presents the construction in the order of 
the asserted "Mini- Markman " claims. Terms set forth in the claims (column 2) in bold are claim terms that the parties 
dispute. Phrases set forth in the claims in italics are claim phrases that the parties dispute. Terms set forth in Microsoft's 
construction (column 3) in bold, with initial capitalizaiton are terms Microsoft has construed. 
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*193 Claim 1 


MS Construction 


1. 


1 . A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


2. 


receiving a digital file 
including music, 


receiving a digital Hie including music: 

This claim language foils within 35 LJ.S.C. § 1 12, ^ 6. It recites a step or result 
("receiving") without reciting an action that achieves that result. The specification 
does not clearly link any particular action to this recited step. Part of the recited 
function is performed when the Digital File is received by Communications Controller 
666 and passed through I/O Controller 600 to SPE 503/SPU 500 (specifically 
incorporates the SPU Encryption/Decryption Engine 522 that is used principally as an 
aspect of secure communications between VDE secure subsystems) and NVRAM 
534b (which stores sensitive information such as cryptographic Key(s) used for 
Authentication.) Rights Operating System 602 manages the hardware within SPU 
500 that performs Authentication of the secure container as part of the receiving step. 

The recited function requires: obtaining a VDE Secure Container encapsulating a 
Digital File, Authenticating the intended recipient in accordance with VDE Controls 
Associated With the Secure Container, and accepting the Secure Container. 

The qualifier "including music* 1 recites non-functional descriptive material and is not a 
patentable limitation. 

digital file: A named, static unit of storage allocated by a "file system" and 
Containing digital information. A Digital File enables any application using the "file 
system" to randomly access its contents and to distinguish it by name from every other 
such unit. A copy of a Digital File is a separate Digital File. (A "file system" is the 
portion of the operating system that translates requests made by application programs 
for operations on "files" into low-level tasks that can control storage devices such as 
disk drives.) 

including: As to data, storing within, as opposed to Addressing. As to hardware, 
physically present within. 


3. 


storing said digital file in a, 
first secure memory of a 
first device; 


digital file: see item #2 above 

secure memory: A processor-addressable Memory within a special -purpose Secure 
Processing Unit which is isolated from the rest of the world by (and encapsulated 
within) a Tamper Resistant Barrier. "Processor-addressable" means that a 
connected processor can use the Secure Memory's physical addresses as the operand 
in a processor instruction such as LOAD or STORE or equivalent instruction. A 
"Memory" is not a "Secure Memory" merely because it stores encrypted, signed, 
and/or sealed data; is accessible from a Protected Processing Environment; or is 
within an appliance that is located at a trusted facility with non-VDE physical 
Security and user-identity Authentication procedures. 
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secure: A state in which all users of a system are guaranteed that all information, 
processes, and devices within the system, shall have their availability, secrecy, 
integrity, authenticity and nonrepudiation maintained against all of the identified 
threats thereto. "Availability" means the property that information is accessible and 
usable upon demand by authorized persons, at least to the extent that no user may 
delete the information without Authorization. "Secrecy," also referred to as 
confidentiality, means the property that information (including computer processes) is 
not made available or disclosed to unauthorized persons or processes. "Integrity" 
means the property that information has not been altered either intentionally or 
accidentally. "Authenticity" means the property that the characteristics asserted about 
a person, device, program, information, or process are genuine and timely, particularly 
as to identity, data integrity, and origin integrity. "Nonrepudiation" means the 
property that a sender of information cannot deny its origination and that a recipient of 
information cannot deny its receipt. 

memory: A medium in which data (including executable instructions) may be stored 
and from which it may be retrieved. 


4. 


storing information 
associated with said 
digital file in a secure 
database stored on said 
first device, 


associated with: A specific, direct persistent, and binding relationship with one or 
more discrete items. Code that processes information but is merely a general-purpose 
component of an installation is not "Associated With" that information. In VDE, an 
association between a unit of Executable code and particular information, or between 
particular control information and a Secure Container, cannot be broken except as 
Allowed by execution (within a Secure Processing Environment) of assigned VDE 
Control(s) and satisfaction of all requirements imposed by such execution. 

digital file: see item #2 above 

secure database: A Secure Database is a database isolated from all users such that it is 
Protected from external observation; and accidental or intentional alteration or 
destruction. In VDE, a Secure Database stores tracking, billing, payment, and 
auditing data until the data is delivered Securely to an authorized Clearinghouse. 

secure: see item #3 above 

database: a data file that is defined and accessed using the facilities of a database 
management system (DBMS); this implies in particular (a) that it is defined by means 
of a schema that is independent of any programs that access the database, and (b) that 
it uses direct access storage. 


5. 


said information including 
at least one budget control 
and at least one copy 
control, 


including: see item #2 above 

budget: A unique type of "method" that specifies a decrementable numerical 
limitation on future Use (e.g., copying) of digital information and how such Use will 
be paid for, if at all. (A ^method" is a collection of basic instructions, and information 
related to basic instructions, that provides context, data, requirements, and/or 
relationships for use in performing, and/or preparing to perform, basic instructions in 
relation to the operation of one or more electronic appliances.) 

budget control: A VDE Control assembled to apply to a Budget, and enforcing that 
Budget. No process, user, or device is able to make the use identified by the Budget 
once the Budget's specified limitation on that Use has been reached. 

copy control: A VDE Control which Controls Access to or some Use of a copy. 


6. 


said at least one budget 
control including a budget 

specifying the number of 


a budget specifying the number of copies which can be made of said digital file: A 


Budget explicitly stating the total number of copies (whether or not decrypted, long- 
lived, or accessible) that (since creation of the Budget) Can Be made of the Digital 
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File by any and all users, devices, and processes. No process, user, or device is able to 
make another copy of the Digital File once this number of copies has been made. 

budget budget control : see hem #5 above 

including : see item #2 above 



copies which can be made 
of said digital file; 



can be : A specified act is able or authorized to be carried out, which otherwise cannot 
be carried out 

digital file : see item #2 above 



7. 



and said at least one copy 
control controlling the 
copies made of said digital 



controlling the copies made of said digital file : Controlling Uses of and Accesses to 
all copies of the Digital File, by all users, processes, and devices, by executing each of 
the recited "at least one" Copy Control(s) within VDE Secure Processing 
Environment(s). Each Control Governs (Controls) only one action, which action 
may or may not differ among the different "at least one" Controls. All Uses and 
Accesses are prohibited and incapable of occurring except to the extent Allowed by 
the "at least one" Copy Controls)- 

copy control : see item #5 above 



controlling : Reliably defining and enforcing the conditions and requirements under 
which an action that otherwise cannot be taken, will be Allowed, and the manner in 
which it may occur. Absent verified satisfaction of those conditions and requirements, 
the action cannot be taken by any user, process or device. In VDE, an action is 
Controlled through execution of the applicable VDE Control(s) within a VDE 
Secure Processing Environment. More specifically, in VDE, Controlling is 
effected by use of VDE Controls, VDE Secure Containers, and VDE foundation 
(including VDE Secure Processing Environment, "object registration," and other 
mechanisms for allegedly individually ensuring that specific Controls are enforced 
vis-a-vis specific objects (and their content at an arbitrary granular level) and specific 
"users") 

digital file: see item #2 above 



determining whether said 
digital file may be copied 
and stored on a second 
device based on at least 
said copy control; 



determining whether said digital file may be copied and stored on a second device 
based on at least said copy control : Determining whether this particular first device is 
Allowed to perform both of the following actions on this particular Digital File: (1) 
Copy it and (2) store it (as opposed to a copy of it) on a second device, by executing 
one or more VDE Control(s) (including "said" Copy Control Associated With this 
Digital File) within VDE Secure Processing Environ ment(s). To the extent that 
either of these two actions is not determined by this step to be permissible, that action 
is prohibited and incapable of occurring, and no user, process or device can perform it 
on this Digital File. 

This claim limitation's recitation of "said copy control" is inconsistent with the claim 
limitation "at least one copy control." 

digital file : see item #2 above 

copy, copied, copying : To reproduce all of a Digital File or other complete physical 
block of data from one location on a storage medium to another location on the same 
or different storage medium, leaving the original block of data unchanged, such that 
two distinct and independent objects exist. Although the layout of the data values in 
physical storage may differ from the original, the resulting "copy" is logically 
indistinguishable from the original. The resulting "copy" may or may not be 
encrypted, ephemeral, usable, or accessible. 
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copy control: see item #5 above 


9. 


if said copy control allows 
at least a portion of said 
digital file to be copied and 
stored on a second device, 


if said copv control allows at least a portion of said digital file to be copied and stored 


on a second device: 

This "if" condition creates two branches for the recited process, each of which must be 
performed Each time the "iT condition is met, all four of the later-recited actions 
(Copying, transferring, storing, playing) must occur. Each time it is not met, each of 
these four actions must be prohibited and incapable of occurring. 

This "if" condition is met if and only if "said" Copy Control Allows any Portion (i.e., 
a part less than the whole) of the Digital File to be Copied and also Allows that same 
Portion of the Digital File (as opposed to the copy) to be stored on any second device. 
This "if" condition is based entirely on "said copy control" and thus is met, as above, 
even if other VDE Control(s) prohibit those actions. 

This claim limitation's recitation of "copy control allows at least a portion" is 
inconsistent with the claim limitation "whether said digital file may be copied ... based 
on at least said copy control." 

This claim limitation's recitation of "if said copy control allows at least a portion ... 
copying" is inconsistent with "said at least one budget control including a budget 
specifying the number of copies which can be made of said digital file" on whether 
said "copy control" or said "budget control" determines whether Copying is Allowed. 

copy control: see item #5 above 

allow (allows): Actively permitting an action that otherwise cannot be taken (Le., is 
prohibited) by any user, process, or device. In VDE, an action is Allowed only 
through execution (within a Secure Processing Environment) of the VDE Control(s) 
assigned to the particular action request, and satisfaction of all requirements imposed 
by such execution. 

portion: A part of a whole, which is less than the whole 
digital file: see item #2 above 


10. 


copying at least a portion 
of said digital file; 


copying at least a portion of said digital file: Copying at least some Portion of the 


Digital File (as opposed to a copy thereof), by executing VDE Control(s) within VDE 
Secure Processing Environment(s). This Copied "Portion" may or may not be (or 
even include) the Portion referred to in the claim limitation "if said copy control 
allows at least a portion." 

copying: see item #8 above 

portion: see item #9 above 

digital file: see item #2 above 


11. 


transferring at least a 
portion of said digital file 
to a second device 
including a memory and 
an audio and/or video 
output; 


torosferring at least a portion of said digital file to a second device: Transferring to 


some second device (which may or may not be the "second device" referred to in the 
claim limitation "if said copy control allows at least a portion of said digital file to be 
copied and stored on a second device") at least some Portion of the Digital File (as 
opposed to a copy thereof), by executing VDE Control(s) within VDE Secure 
Processing Environment(s). This transferred Portion may or may not be (or even 
include) the Portion referred to in the claim limitation "if said copy control allows at 
least a portion," or the Portion referred to in the claim limitation "copying at least a 
portion." 
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portion: see item #9 above 
digital file: see item #2 above 
memory: see item #3 above 


12. 


storing said digital flle in 
said memory of said 
second device; and 


storing said digital file: Storing the entire Digital File received in the "receiving" step 
(as opposed to a copy of the Digital File or a Portion of the Digital File). 
This claim limitation's recitation of "storing said digital file" is inconsistent with the 
claim limitation "traiisferring at least a portion of said digital file." 

digital file: see item #2 above 

memory: see item #3 above 


13. 


including playing said 
music through said audio 
output 


This claim limitation's recitation of "playing ... through said audio output" is 
inconsistent with the claim limitation "an audio and/or video output" 
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14. 


1 1 . A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


15. 


receiving a digital file 


receiving a digital file: see item #2 above 
digital file: see item #2 above 


16. 


storing information 
associated with said 
digital file in a secure 
database stored on said 
first device, 


associated with: see item #4 above 
digital file: see item #2 above 
secure database: see hem #4 above 


17. 


said information including 
a first control; 


including: see item #2 above 

control: Independent, special-purpose, Executable, which can execute onlv within a 
Secure Processing Environment. Each VDE Control is a Component Assembly 
dedicated to a particular activity (e.g., editing, modifying another Control, a user- 
defined action, etc.), particular user(s), and particular Protected information, and 
whose satisfactory execution is necessary to Allowing that activity. Each separate 
information Access or Use is independently Controlled by independent VDE 
Control(s). Each VDE Control is assembled within a Secure Processing 
Environment from independently deliverable modular components (e.g., Load 
Modules or other Controls), dynamically in response to an information Access or Use 
Request The dynamic assembly of a Control is directed by a "blueprint" Record (put 
in place by one or more VDE users) Containing control information identifying the 
exact modular code components to be assembled and executed to Govern this 
particular activity on this particular information by this particular user(s). Each 
Control is independently assembled, loaded and delivered visra-vis other Controls. 
Control information and Controls are extensible and can be configured and modified 
by all users, and combined by all users with any other VDE Control information or 
Controls (including that provided by other users), subject only to "senior" user 
Controls. Users can assign control information (including alternative control 
information) and controls to an arbitrarily fine, user-defined Portion of the Protected 
information, such as a single paragraph of a document, as opposed to being limited to 
file-based Controls. VDE Controls reliably limit Use of the Protected information to 
Authorized activities and amounts. 


18. 


determining whether said 
digital file may be copied 
and stored on a second 
device based on said first 
control, 


determining whether said digital file may be copied and stored on a second device 


based on said first control: Determining whether said first Control, bv itself. Allows 
this particular first device to perform both of the following actions on this particular 
Digital File: (1) Copy it and (2) store it (as opposed to a copy of it) on a second - 
device, by executing the first VDE Control within VDE Secure Processing 
Environment(s). To the extent that either the Copy or store action is not determined 
by this step to be permissible, that action is prohibited and incapable of occurring, and 
no user, process or device can perform it on this Digital File. 

digital file: see item #2 above 

copied: see item #10 above 

control: see item #17 above 


19. 


said determining step 
including identifying said 
second device and 


identifying said second device: Identifying a second device sufficiently to distinguish 
it from all other devices, by executing VDE Control(s) within VDE Secure 
Processing Environment(s). 
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determining whether said 
first control allows transfer 
of said copied file to said 
second device, 


whether said first control allows transfer of said copied file to said second device 


Whether the first Control, by itself, Allows the entire Digital File (which has been 
Copied at least once) (as opposed to the copy) to be moved to the identified second 
device. If not, that transfer is prohibited and incapable of occurring and no user, 
process or device can perform that action on this Digital File. 

Identifying/identify: To establish as being a particular instance of a person or thing 

control: see item #17 above 

allow: see item #9 above 

copied file: A Digital File that has been Copied. The "copied file" is not the copy 
itself. A "copy" is what is formed by a Copying operation, and it may or may not be 
encrypted, ephemeral, usable, or accessible. 


20. 


said determination based at 
least in part on the features 
present at the device to 
which said copied file is to 
be transferred; 


said determination based at least in part on the features present at the device: Basing 


the determination at least in part upon all actual, current features of the device (as 
opposed to previously determined, reported, or measured features) which might affect 
the device's ability to prevent Unauthorized Access to or Use of (or both) the Digital 
File. This determination is done without trusting either the device or any user of the 
device. A device Identifier such as a serial number is not a "feature present at the 
device." 

copied file: see item #19 above 


21. 


if said first control allows 
at least a portion of said 
digital file to be copied and 
stored on a second device, 


if said first control allows at least a portion of said digital file to be copied and stored 


on a second device: This "if condition creates two branches for the recited process, 
each of which must be performed. Each time the "if condition is met, all four of the 
later-recited actions (Copying, transferring, storing, Rendering) must occur. Each 
time it is not met, each of these four actions must be disabled and prohibited and 
incapable of occurring. 

This "if condition is met if and only if the first Control allows any Portion of the 
Digital File to be Copied and also allows that same Portion of the Digital File (as 
opposed to the copy) to be on any second device. This "if condition is based entirely 
on the first Control and thus is met, as above, even if other VDE Controls prohibit 
those actions. 

This claim limitation's recitation of "said first control allows at least a portion" is 
inconsistent with the claim limitation ll whether said digital file may be copied ... based 
on said first control" 

control: see item #17 above 

allow: see item #9 above 

portion: see item #9 above 

digital file: see item #2 above 


22. 


copying at least a portion 
of said digital file; 


copying at least a portion of said digital file: see item #10 above 


copying: see item #8 above 
portion: see item #9 above 



EXHIBIT A TO JOINT CLAIM CONSTRUCTION STATEMENT 
Page 7 of 37 






'193- Claim 11 


MS Construction 






digital file: see item #2 above 


23. 


transferring at least a 
portion of said digital file 
to a second device 
including a memory and 
an audio and/or video 
output; 


transferring at least a portion of said digital file to a second device: see item #11 


above 

portion: see item #9 above 
digital file: see item #2 above 
memory: see hem #3 above 


24. 


storing said digital file in 
said memory of said 
second device; and 


storing said digital file: see item #12 above 
digital file: see item #2 above 


25. 


rendering said digital file 
through said output 


rendering: Playing content through an audio output (e.g., speakers) or displaying 
content on a video output (e.g., a screen). 

digital file: see item #2 above 

This claim limitation's recitation Of "said output" is inconsistent with the claim 
limitation "an audio and/or video output" 
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26. 


15. A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
.Microsoft's construction of VDE.) 


27. 


receiving a digital file, 


receiving a digital file: see item #2 above This step must proceed in both* 
"Authentication branches" of the process (i.e., regardless of the outcome of the 
"Authentication" step). 

digital file: see item #2 above 


28. 


an authentication step 
comprising: 


an authentication step comprising: Authenticating the first device and/or user of the 
first device without relying on trusting either, by executing VDE Controls) within 
VDE Secure Processing Environments). 

authentication: To establish that the following asserted characteristics of something 
(e.g., a person, device, organization, document, file, etc.) are genuine: its Identity, its 
data integrity, (i.e., it has not been altered) and its origin integrity (i.e., its source and 
time of origination). 


29. 


accessing at least one 
identifier associated with a 
first device or with a user 
of said first device; and 


accessing at least one identifier associated with a first device or with a user of said first 


device: Securely Accessing at least one Identifier Associated With a single ("first*') 
device or (as opposed to "and") with a single, current user of that device, by executing 
VDE Control(s) within VDE Secure Processing Environ ment(s). One of the "at 
least one identifier" may be Associated With a first device while another of the "at 
least one identifier" may be Associated With a user of said first device. 

Access (accessing): To satisfactorily perform the steps necessary to obtain something 
so that it can be Used in some manner (e.g., for information: copied, printed, 
decrypted, encrypted, saved, modified, observed, or moved, etc.). In VDE, access to 
protected information is achieved only through execution (within a Secure Processing 
Environment) of the VDE Control(s) assigned to the particular "access" request, 
satisfaction of all requirements imposed by such execution, and the Controlled 
Opening of the Secure Container Containing the information. 

identifier: Any text string used as a label naming an individual instance of what it 
Identifies. 

associated with: see item #4 above 


30. 


determining whether said 
identifier is associated 
with a device and/or user 
authorized to store said 
digital file; 


determining whether said identifier is associated with a device and/or user authorized 


to store said digital file: For each accessed "at least one identifier," determining 
whether the device with which it is Associated is one on which the Digital File may 
be stored (by any user) and/or whether the user, with which it is Associated is one who 
may store the Digital File (on any device), by executing VDE Control(s) within VDE 
Secure Processing Environments). Each Identifier may be Associated With a 
device "and" a user, or with a device only, or with a user only. 

This claim limitation's recitation of "said identifier" is inconsistent with the claim 
limitation "at least one identifier." 

iQcuuricr. ace iicm nLy auuvc 

associated with: see item #4 above 

authorized: An action is permitted that otherwise cannot be taken by any user, 
process, or device. In VDE, an action is authorized only through execution of the 
applicable VDE Control(s) within a VDE Secure Processing Environment and 
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satisfaction of all requirements imposed by such execution. 

"not authorized": Hie action is prohibited and cannot be taken by any user, process, or 
device. 

digital file: see item #2 above 


31. 


storing said digital file in a 
first secure memory of said 
first device, but only if said 
device and/or user is so 
authorized, but not 
proceeding with said 
storing if said device 
and/or user is not 
authorized; 


storing said digital file in a first secure memorv of said first device, but only if said 


device and/or user is so authorized, but not proceeding with said storing if said device 


and/or user is not authorized: This conditional step creates at least two 
"Authentication" branches for the recited process, each of which must be performed. 
Each time the condition is met, the recited "storing" must occur. Each time it is not 
met, the recited "storing" must not occur. 

If "storing" proceeds, then: storing in a Secure Memory oi the first device, the entire 
Digital File received in the "receiving" step, as opposed to a copy of the File or a 
Portion of the Digital File, by executing VDE Control(s) within VDE Secure 
Processing Environment(s). If "storing" does not proceed: then the Digital File is 
not stored in the Secure Memory of the first device, and is prevented from being 
stored anywhere on the first device. 

This limitation is internally inconsistent on the circumstances under which the storing 
proceeds or does not proceed. For example, the first ("only if) phrase requires that 
the storing step proceeds if the device is Authorized (and the user is not) while the 
second ("but not") phrase requires that the storing step not proceed if the device is 
Authorized (and the user is not). 

authorized: see item #30 above 

digital file: see item #2 above 

secure memory: see item #3 above 


32. 


storing information 
associated with said digital 
file in a secure database 
stored on said first device, 
said information including 
at least one control; 


storing information associated with said digital file in a secure database stored on said 


first device, said information including at least one control: Storing information in a 


Secure Database, the entirety of information (including the "at least one Control") 
being Associated With the Digital File (as opposed to the file's contents independent 
of the file), by executing VDE Control(s) within VDE Secure Processing 
Environment(s). 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

associated with: see item #4 above 

digital file; see item #2 above 

secure database: see item #4 above 

control: see item #17 above 


33. 


determining whether said 
digital file may be copied 
and stored on a second 
device based on said at 
least one control; 


determining whether said digital file may be copied and stored on a second device 


based on said at least one control: see item #8 above 

Tkic cton mnet nrrv*p#»r! in hrtth "Authentication branches" of the nrocess (\ e 
regardless of the outcome of the "Authentication" step). 

digital file: see item #2 above 
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copied: see item #10 above 
control: see item #17 above 


34. 


if said at least one control 
allows at least a portion of 
said digital JUe to be 
copied and stored on a 
second device, 


if said at least one control allows at least a Dortion of said digital file to be coDied and 
stored on a second device: see item #9 above 

control: see item #17 above 

allow: see item #9 above 

portion: see item #9 above 

digital file: see item #2 above 

copied: see item #10 above 


35. 


copying at least a portion 
of said digital file; 


copying at least a portion of said digital file: see item #10 above 


copying: see item #8 above 
portion: see item #9 above 
digital file: see item #2 above 


36. 


transferring at least a 
portion of said digital file 
to a second device 
including a memory and 
an audio and/or video 
output; 


transferring at least a portion of said digital file to a second device: see item #1 1 


above 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

portion: see item #9 above 

digital file: see item #2 above 

memory: see item #3 above 


37. 


storing said digital file in 
said memory of said 
second device; and 


storing said digital file: see item #12 above 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

This claim limitation's recitation of "storing said digital file" is inconsistent with the 
claim limitation "transferring at least a portion of said digital file." 

digital file: see item #2 above 

memory: see item #3 above 


38. 


rendering said digital tile 
through said output. 


rendering: see item #25 above 

Hioitnl filp* cpp itpm HO nHnvp 
ui£iuii inc. ace iiciii ft a ouuvc 

This claim limitation's recitation of "said output" is inconsistent with the claim 
limitation "an audio and/or video output." 
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39. 


19. A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


40. 


receiving a digital file at a 
first device; 


receiving a digital file at a first device: see item #2 above 
digital file: see item #2 above 


41. 


establishing 

communication between 
said first device and a 
clearinghouse located at a 
location remote from said 
first device; 


establishing communication between said first device and a clearinghouse located at a 


location remote from said first device: This claim language falls within 35 U.S.C. § 
112, 1 6. It recites a step or result ("establishing communication") without reciting an 
action that achieves mat result The specification does not clearly link any particular 
action to this recited step Part of the recited function is performed by the Remote 
Procedure Call Manager 732 software of Rights Operating System 602 that controls 
I/O controller 660 and Communications Controller 666. Remote Procedure Call 
Manager handles all communication between VDE processes. 

The recited function is: creating and using a previously non-existent communications 
channel which is necessary and sufficient for exchanging information between the first 
device and a Clearinghouse. 

clearinghouse: A computer system that provides intermediate storing and forwarding 
services for both content and audit information, and which two or more parties trust to 
provide its services independently because it is operated under constraint of VDE 
Security. "Audit information" means all information created, stored, or reported in 
connection with an "auditing" process. "Auditing" means tracking, metering and 
reporting the usage of particular information or a particular appliance. 


42. 


said first device obtaining 
authorization information 
including a key from said 
clearinghouse; 


authorization information: "Control information" identifying the exact modular code 
components to be assembled into a VDE Control and executed within a Secure 
Processing Environment to permit a particular activity that otherwise cannot be taken 
(i.e., is prohibited). ("Control information" is information which Identifies the exact 
modular code components and data which must be assembled and executed to Control 
a particular activity on particular information, of arbitrary, user-defined granularity, by 
particular user(s)). 

key: A bit sequence used and needed by a cryptographic algorithm to encrypt a block 
of plain text or to decrypt a block of cipher text. A Key is different from a key seed or 
other information from which the actual encryption and/or decryption Key is 
constructed, derived, or otherwise identified. In symmetric key cryptography, the 
same key is used for bom encryption and decryption. In asymmetric or "public key" 
cryptography, two related keys are used; a block of text encrypted by one of the two 
keys (e.g., the "public key") can be decrypted only by the corresponding key (e.g., the 
'"private key"). 

clearinghouse: see item #41 above 


43. 


said first device using said 
authorization information 
to gain access to or make 
at least one use of said first 
digital file, 


using said authorization information to gain access to or make at least one use of said 


first digital file: A user, process or device uses all of said Authorization Information 
in connection with executing VDE Control(s) within VDE Secure Processing 
Environ m en t(s) to gain Access to or (as opposed to "and") make at least one Use of 
the Digital File received in the '"receiving" step. Without using such Authorization 
Information, no Access to or Use of the file is Allowed. 

authorization information: see item #42 above 

access: see item #29 above 
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use: To use information is to perform some action on it or with it (e.g., copying, 
printing, decrypting, encrypting, saving, modifying, observing, or moving, etc.). In 
VDE, unonnanon Use is Allowed omy inrougn execution oi me appucauie yvz* 
Control(s) and satisfaction of all requirements imposed by such execution. 

digital file: see item #2 above 


44. 


including using said key to 
decrypt at least a portion 
of said first digital file; and 


including using said kev to decrypt at least a portion of said first digital file: The at 


least one use of said digital file" must encompass decrypting at least a Portion of the 
Digital File using the Key. 

portion: see item #9 above 

digital file: see item #2 above 


45. 


receiving a first control 
from said clearinghouse at 
said first device; 


receiving a first control from said clearinghouse at said first device: This claim 


language fells within 35 U.S.C. § 1 12, % 6. It recites a step or result CYeceiving") 
without reciting an action that achieves that result The specification does not clearly 
link any particular action to this recited step. Part of the recited function is performed 
by Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 
(particularly "SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: obtaining a VDE Secure Container encapsulating a 
first Control, authenticating the first device in accordance with VDE Controls 
Associated With the Secure Container, and accepting the Secure Container. 

control: see item #17 above 

clearinghouse: see item #41 above 


46. 


storing said first digital file 
in a memory of said first 
device; 


storing said first digital file in a memory of said first device: Storing in a Memory of 


the first device, the entire Digital File (as opposed to a Portion thereof) received in 
the "receiving" step, by executing VDE Control(s) within VDE Secure Processing 
Environment(s). 

digital file: see item #2 above 

memory: see item #3 above 


47. 


using said first control to 
determine whether said 
first digital file may be 
copied and stored on a 
second device; 


using said first control to determine whether said first digital file may be copied and 


stored on a second device: Determining whether the first Control, by itself, allows 
this particular first device to perform both of the following actions on this particular 
Digital File: (1) Copy it and (2) store it (as opposed to a copy of it) on a second 
device, by executing the first VDE Control within VDE Secure Processing 
Environment(s). To the extent that either the Copy or store action is not determined 
by this step to be permissible, that action is prohibited and incapable of occurring, and 
no user, process or device can perform it on this Digital File. 

control: see item #17 above 

digital file: see item #2 above 

copied : see item #10 above 


48. 


if said first control allows 
at least a portion of said 


if said first control allows at least a portion of said first digital file to be copied and 


stored on a second device: see item #9 above 
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first digital file to be 
copied and stored on a 
second device, 


This claim limitation's recitation of "first control allows at least a portion of said first 
digital file" is inconsistent with the claim limitation "whether said first digital file may 
be copied ... on a second device." 

control: see item #17 above 

allow: see item #9 above 

portion: see item #9 above 

digital file: see item #2 above 

copied: see item #10 above 


49. 


copying at least a portion 
of said first digital file; 


copying at least a portion of said first digital file: see hem #10 above 


copying: see item #8 above 
portion: see item #9 above 
digital file: see item #2 above 


50. 


transferring at least a 
portion of said first digital 
file to a second device 
including a memory and an 
audio and/or video output; 


transferring at least a portion of said first digital file to a second device including a 


memory and an audio and/or video output: see item #11 above 
portion: see item #9 above 
digital file: see item #2 above 
memory: see item #3 above 


51. 


storing said first digital file 
portion in said memory of 
said second device; and 


storing said first digital file portion: Storing the "at least a portion" which was 
transferred to the second device, of the Digital File received in the "receiving" step (as 
opposed to a copy of the Digital File). 

digital file: see item #2 above 

portion: see item #9 above 

memory: see item #3 above 


52. 


rendering said first digital 
file portion through said 
output. 


rendering: see item #25 above 
portion: see item #9 above 
digital file: see item #2 above 

This claim limitation's recitation of "said output" is inconsistent with the claim 
limitation "an audio and/or video output." 
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53. 


2. A system including: 


Claim as a Whole: Tne "system" is a VDE. (See item #93 for Microsoft's 
construction of VDE.) 


54. 


a first apparatus including, 




55. 


user controls, 


user controls: Controls created, modified, or selected by a user to Control a particular 
Use or Access by the user to particular Protected information. 

control: see hem #17 above 


56. 


a communications port, 




57. 


a processor, 




58. 


a memory storing: 


memory: see item #3 above 


59. 


a first secure container 


secure container A VDE Secure Container is a self-contained, self-protecting data 
structure which (a) encapsulates information of arbitrary size, type, format, and 
organization, including other, nested, containers, (b) cryptographically protects that 
information from all unauthorized Access and Use, (c) provides encrypted storage 
management functions for that information, such as hiding the physical storage 
location(s) of its protected contents, (d) permits the Association of itself or its contents 
with Controls and Control information Governing Access to and Use thereof, and (e) 
prevents such Use or Access (as opposed to merely preventing decryption) until it is 
"opened." A Secure Container can be opened only as expressly Allowed by the 
associated VDE Controls), only within a Secure Processing Environment, and only 
through decryption of its encrypted header. A Secure Container is not directly 
accessible to any non-VDE or user calling process. All such calls are intercepted by 
VDE. The creator of a Secure Container can assign (or allow others to assign) 
control information to any arbitrary Portion of a Secure Container's contents, or to 
an empty Secure Container (to Govern the later addition of contents to the container, 
and Access to or Use of those contents). A container is not a Secure Container 
merely because its contents are encrypted and signed. A Secure Container is itself 
Secure. All VDE-Protected information (including protected content, information 
about content usage, content-control information, Controls, and Load Modules) is 
encapsulated within a Secure Container whenever stored outside a Secure 
Processing Environment or Secure Database. 


60. 


containing a governed 
item, 


containing: Physically (directly) storing within, as opposed to Addressing. 

governed item: Information, of arbitrarily fine granularity, whose Access and Use by 
any user, process, or device is Controlled. 


61. 


the first secure container 
governed' item being at 
least in part encrypted; 


secure container: see item #59 above 
governed item: see item #60 above 


62. 


the first secure container 
having been received from 
a second apparatus; 


the first secure container having been received from a second apparatus: The "first 


secure container" must Identify the single apparatus from which it was received, and 
that apparatus must be different from the first apparatus. Alternatively, if the Court 
does not construe this claim language as requiring the "first secure container'* to 
identify the single apparatus from which it was received: This claim language has no 
patentable weight. It recites a step taken in the creation of the recited system, not a 
structural or functional characteristic of the system. One studying a particular system 
(as opposed to the process by which it was created) to compare it to the claimed 
system, could not distinguish a Secure Container received from another apparatus 
from, e.g., a Secure Container created on the first apparatus, and thus could not 
determine whether this step was satisfied. 


EXr 
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Receiving the Secure Container includes Authenticating the intended recipient in 
accordance with VDE Controls Associated With the Secure Container. The first 
Secure Container may be received as bar codes in a fax transmission, or filled ovals 
on a form delivered through physical mail. 

secure container, see item #59 above 


63. 


a first secure container 
rule 


secure container rule: A Rule that Governs a Secure Container Governed Item. 

rule: A lexical statement that states a condition under which Access to or Use of 
VDE-Protected data will be Allowed by a VDE Control. A rule may specify how, 
when, where, and by whom a particular activity on particular information is to be 
Allowed. 


64. 


at least in pan governing 
an aspect of access to or 
use of said first secure 
container governed item, 


an aspect of access to or use of: Any one (as opposed to more than one) aspect of any 
Access to or (as opposed to "and") Use by any and all processes, users, and devices. 

governing: see Control (v.) item #7 above 

aspect: An aspect of an environment is a persistent element or property of that 
environment that can be used to distinguish it from other environments. 

access: see item #29 above 

use: To use information is to perform some action on it or with it (e.g., copying, 
printing, decrypting, encrypting, saving, modifying, observing, or moving, etc.). In 
VDE, information Use is Allowed only through execution of the applicable VDE 
Control(s) and satisfaction of all requirements imposed by such execution. 


65. 


the first secure container 
rule, the first secure 
container rule having been 
received from a third 
apparatus different from 
said second apparatus; and 


the first secure container rule having been received from a third apparatus different 


from said second apparatus: The "first secure container rule" must have been received 
encapsulated within a VDE Secure Container, and the intended recipient must have 
been Authenticated in accordance with VDE Controls Associated With the Secure 
Container, and the "first secure container rule" must have been accepted by the first 
apparatus. The "first secure container rule" must identify the single apparatus from 
which it was received, and that apparatus must be different from the first apparatus. 
Alternatively, if the Court does not construe this claim language as requiring the "first 
secure container" to identify the single apparatus from which it was received: This 
claim language has no patentable weight. It recites a step taken in the creation of the 
recited system, not a structural or functional characteristic of the system. One studying 
a particular system (as opposed to the process by which it was created) to compare it to 
the claimed system, could not distinguish a Secure Container Rule received from 
another apparatus from, e.g., a Secure Container Rule created on the first apparatus, 
and thus could not determine whether this step was satisfied. 

secure container rule: see item #63 above f 


66. 


hardware or software used 
for receiving and opening 
secure containers, 


hardware or software used for receiving and opening secure containers. 


receiving: This claim language falls within 35 U.S.C. § 1 12, % 6. It recites an 
undefined mechanism ("hardware or software") for performing a function (e.g., 
"Opening") without reciting particular structure that performs that function. The 
specification does not clearly link any particular structure to this recited function. Part 
of the recited function is performed by Communications Controller 666, I/O Controller 
600, SPE 503/SPU 500 (particularly "SPU Encryption/Decryption Engine 522" and 
NVRAM 534b). 

The recited function requires: the same single logical piece of either hardware or 
software (as opposed to both) must be capable of both receiving and Opening Secure 
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Containers, this "receiving" including authenticating the intended recipient in 
accordance with VDE Controls Associated With the Secure Container, and this 
"Opening" performed by executing VDE Controls) within VDE Secure Processing 
Environments). 

opening secure containers: Establishing the requisites needed to attempt to access the 
contents of a Secure Container. Opening is a necessary but insufficient step before 
the contents of a Secure Container may be copied, decrypted, read, manipulated, or 
otherwise Used, or Accessed. No process, user, or device may Access or Use the 
contents of a Secure Container without first opening that Secure Container. A 
Secure Container may be opened only through execution of the assigned VDE 
Controls) within a VDE Secure Processing Environment and satisfaction of all 
requirements imposed by such execution. 


67. 


said secure containers 
each including the capacity 
to contain a governed 
item, a secure container 
rule being associated with 
each of said secure 
containers; 


said secure containers each including the capacity to contain a governed hem, a secure 


container rule being associated with each of said secure containers: Each Secure 


Container referred to in the phrase "hardware or software used for receiving and 
opening secure containers" must have the capacity to Contain a Governed Item, and 
must have Associated With it a Secure Container Rule. By "each secure container 
referred to in the phase ..." is meant each Secure Container which the "hardware or 
software used for receiving and opening secure containers" is capable of receiving and 
Opening. The Secure Container Rule is Associated With the Secure Container 
itself as opposed to a Governed Item. 

secure container: see #59 above 

capacity: Available storage space that is still capable of allocation. For example, a 
650 MB blank CD, after sealing, has zero capacity because no new material may be 
stored within it 

contain: see item #60 above 

governed item: see item #60 above 

secure container rule: see item #63 above 

associated with: see item #4 above 


68. 


a protected processing 
environment at least in 
part protecting information 
contained in said protected 
processing environment 
from tampering by a user 
of said first apparatus, 


protectedprocessing environment at least in part protecting information contained in 


said protected processing environment from tampering by a user of said first 


apparatus: A single VDE Secure Processing Environment, in addition to and not 
within the first apparatus, actively Preventing (not merely being capable of 
Preventing, and not merely resisting) any "user" of the first apparatus from 
Tampering with any and all information encapsulated by the Secure Processing 
Environment (as opposed to Tampering with the Secure Processing Environment 
itself). Other components may or may not provide part of this Protecting function. 
The Protecting function is provided by use of the disclosed "Component Assembly" 
(VDE Controls), "Secure Container," "Protected Processing Environment," "object 
registration," and other mechanisms of the purported "VDE" "invention" for allegedly 
individually ensuring the "Access Control" "handcuffs" between specific "Controls," 
specific "objects" (and their content at an arbitrary granular level), and specific 
"users." 

Protectee processing cnvirulullcni. r\ uniijiiciy luciiiiiiouic, acii"t-uiiu*mcu wuuipuuiig 

base misted by all VDE nodes to protect the availability, secrecy, integrity and 
authenticity of all information identified in the February, 1995, patent application as 
being protected, and to guarantee that such information will be accessed and used only 
as expressly authorized by VDE Controls. At most VDE nodes, the Protected 
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Processing Environment is a Secure Processing Environment which is formed by, 
and requires, a hardware Tamper Resistant Barrier encapsulating a special-purpose 
Secure Processing Unit having a processor and internal secure Memory. 
("Encapsulated" means hidden within an object so that it is not directly accessible but 
rather is accessible only through the objects restrictive interface.) The barrier prevents 
all unauthorized (intentional or accidental) interference, removal, observation, and Use 
of the information and processes within it, by all parties (including all users of the 
device in which the Protected Processing Environment resides), except as expressly 
authorized by VDE Controls. A Protected Processing Environment is under 
Control of Controls and control information provided by one or more parties, rather 
than being under Control of the appliance's users or programs. Where a VDE node is 
an established financial Clearinghouse, or other such facility employing physical 
facility and user-identity Authentication Security procedures trusted by all VDE 
nodes, and the VDE node does not Access or use VDE-protected information, or 
assign VDE control information, then the Protected Processing Environment at that 
VDE node may instead be formed by a general-purpose CPU that executes all VDE 
"security" processes in Protected (privileged) mode. 

A Protected Processing Environment requires more than just verifying the integrity 
of Digitally Signed Executable programming prior to execution of the programming; 
or concealment of the program, associated data, and execution of the program code; or 
use of a password as its protection mechanism. 

protecting: Maintaining the Security of. 

contain (contained): see item #60 above 


69. 


said protected processing 
environment including 
hardware or software used 
for applying said first 
secure container rule and 
a second secure container 
rule in combination to at 
least in part govern at least 
one aspect of access to or 
use of a governed item 
contained in a secure 
container, and 


hardware or software used for applying said first secure container rule and a second 


secure container rule in combination to at least in part govern at least one aspect of 


access to or use of a governed item contained in a secure container This claim 


language falls within 35 U.S.C. § 1 12, \ 6. It recites an undefined mechanism 
("hardware or software") for performing a function ("applying ... in combination'*) 
without reciting particular structure that performs that function. The specification does 
not clearly link any particular structure to this recited function. Part of the recited 
function is performed by Communications Controller 666, I/O Controller 600, SPE 
503/SPU 500 (particularly "SPU Enc^tion/Decryption Engine 522" and NVRAM 
534b). 

The recited function requires: a single logical piece of either hardware or software (as 
opposed to both) to apply the two separate Rules in combination by assembling and 
executing a single Control, and to Govern any one or more aspects of any Access or 
Use by any process or user or device, of a Governed Item Contained in a Secure 
Container (which may or may not be any "Secure Container" recited earlier). Other 
components may or may not provide part of the Governing function. This "hardware 
or software" performs its functions by executing VDE Control(s) within VDE Secure 
Processing Environment(s). 

including: see item #2 above 

aspect: see item #64 above 

access: see item #29 above 

contain (contained): see item #60 above 

secure container rule: see item #63 above 

secure container: see #59 above 
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eoverned item: see item #60 above 


70. 


hardware or software used 
for transmission of secure 
containers to other 
apparatuses or for the 
receipt of secure containers 
from other apparatuses. 


hardware or software used for transmission of secure containers to other aoDaratuses or 
for the receiDt of secure containers from other aooaratuses: This claim language falls 


within 35 U.S.C. § 112, ^ 6. It recites an undefined mechanism ("hardware or 
software") for performing a function (e.g., 'transmission") without reciting particular 
structure that performs that function. The specification does not clearly link any 
particular structure to this recited function. Part of the recited function is performed by 
Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 (particularly 
"SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: a single logical piece of either hardware or software (as 
opposed to both) is capable of both transmission and receipt of Secure Containers, 
this receipt including Authenticating the intended recipient in accordance with VDE 
Controls Associated With the Secure Container. This "hardware or software" is 
separate from and in addition to the first apparatus, the recited "protected processing 
environment," and the recited "hardware or software used for receiving and opening 
secure containers." The transmission and receipt of the Secure Containers may be 
via bar codes in a fax transmission, or filled ovals on a form delivered through 
physical mail. This "hardware or software" performs its functions by executing VDE 
Control(s) within VDE Secure Processing Environment(s). 

secure container: see #59 above 



EXHIBIT A TO JOINT CLAIM CONSTRUCTION STATEMENT 
Page 19 of 37 



4 721 Asserted Claim 1 





'721 Claim 1 


MS Construction 


71. 


1 . A security method 
comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft' s construction of VDE.) 


72. 


digitally signing a first 
load module with a first 
digital signature 
designating the first load 
module for use by a first 
device class; 


digitally sifmingji first load module with a first digital signature designating the first 


load module for use by a first device class: Digitally Signing a particular ("first") 
Load Module by using a first Digital Signature as the signature Key, which signing 
indicates to any and all devices in the first device class that the signor authorized and 
restricted this Load Module for Use by that device. No VDE device can perform any 
execution of any Load Module without such authorization. The method ensures that 
the Load Module cannot execute in a particular device class and ensures that no 
device in that device class has the Key(s) necessary to verify the Digital Signature. 

digital signature: 

digital signature: A computationally unforgeable string of characters (e.g., bits) 
generated by a cryptographic operation on a block of data using some secret The 
string can be generated only by an Entity mat knows the secret, and hence provides 
evidence that the Entity must have generated it 

digitally signing: Creating a Digital Signature using a secret Key. (In symmetric key 
cryptography, a "secret key" is a Key that is known only to the sender and recipient 
In asymmetric key cryptography, a "secret key" is the private Key of a public/private 
key pair, in which the two keys are related uniquely by a predetermined mathematical 
relationship such that it is computationally infeasible to determine one from the other.) 

load module: An Executable, modular unit of machine code (which may include data) 
suitable for loading into Memory for execution by a processor. A Load Module is 
encrypted (when not within a secure processing unit) and has an Identifier that a 
calling process must provide to be able to use the Load Module. A Load Module is 
combinable with other Load Modules, and associated data, to form Executable 
Component Assemblies. A Load Module can execute only in a VDE Protected 
Processing Environment. Library routines are not Load Modules and dynamic link 
libraries are not Load Modules. 

designating: Designating something for a particular Use means specifying it for and 
restricting it to that Use. 

use: see item #64 above 

device class: The generic name for a group of device types. For example, all display 
stations belong to the same device class. A device class is different from a device 
type. A device type is composed of all devices that share a common model number or 
family (e.g. IBM 433 1 printers). 


73. 


digitally signing a second 
load module with a second 
digital signature different 
from the first digital 
signature, the second 
digital signature 
designating the second 
ioaa moauie jor use oy a 
second device class having 
at least one of tamper 
resistance and security 
level different from the at 
least one of tamper 
resistance and security 


digitally signing a second load module with a second digital signature different from 


the first digital signature, the second digital signature designating the second load 


module for use by a second device class having at least one of tamper resistance and 


security level different from the at least one of tamper resistance and security level of 


the first device class: Digitally Signing a different ("second") Load Module by using 
a different ("second") Digital Signature as the signature Key, which signing indicates 
to any and all devices in the second device class that the signor authorized and 
restricted thiQ Load Module for Use bv that device No VDE device can perform any 
execution of any Load Module without such authorization. The method ensures that 
the Load Module cannot execute in a particular device class and ensures that no 
device in that device class has the Key(s) necessary to verify the Digital Signature. 
All devices in the first device class have the same persistent (not just occasional) and 
identified level of Tamper Resistance and the same persistent and identified Level of 
Security. All devices in the second device class have the same persistent and 



EXHIBIT A TO JOINT CLAIM CONSTRUCTION STATEMENT 
Page 20 of 37 






*721 Claim 1 


MS Construction 




level of the first device 
class; 


identified level of Tamper Resistance and same persistent and identified Level of 
Security. The identified level of Tamper Resistance or identified Level of Security 
(or both) for the first device class, is greater than or less than the identified Level Of 
Tamper Resistance or identified Level of Security for the second device class. 

digital signature: see item #72 above 

designating: see item #72 above 

device class: see item #72 above 

load module: see item #72 above 

use: see item #64. 

level of security: An ordered measure of the degree of tnistworthiness. The "securitv 
level" is persistent unless expressly noted to exist only some of the time. Also, the 
combination of a hierarchical classification and a set of nonhierarchical categories that 
represents the sensitivity of an object or the clearance of a subject For example, 
Unclassified, Confidential, Secret, and Top Secret are hierarchical classifications, 
whereas NATO and NOFORN are non-hierarchical categories defined by the 
Department of Defense Trusted Computing guidelines. 

tamper resistance: The ability of a Tamper Resistant Barrier to prevent Access, 
observation, and interference with information or processing encapsulated by the 
barrier. 


74. 


distributing the first load 
module for use by at least 
one device in the first 
device class; and 


distributing the first load module for use by at least one device in the first device class: 


The first Load Module, Digitally Signed as indicated above, is transmitted to at least 
one device in the first device class. 

load module: see item #72 above 

device class: see item #72 above 


75. 


distributing the second 
load module for use by at 
least one device in the 
second device class. 


distributing the second load module for use by at least one device in the second device 


class: The second Load Module, Digitally Signed as indicated above, is transmitted 
to at least one device in the second device class. 

load module: see item #72 above 

device class: see item #72 above 
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76. 



34. A protected processing 
environment comprising: 



Claim as a Whole : The "Protected Processing Environment*' is part of and within 
VDE. (See item #93 for Microsoft's construction of VDE.) 



77. 



a first tamper resistant 
barrier having a first 
security level, 



tamper resistant barrier An active device that encapsulates and separates a Protected 
Processing Environment from the rest of the world. It prevents information and 
processes within the Protected Processing Environment from being observed, 
interfered with, and leaving except under appropriate conditions ensuring Security. It 
also Controls external access to the encapsulated Secure resources, processes and 
information. A Tamper Resistant Barrier is capable of destroying protected 
information in response to Tampering attempts. 

security level : see item #73 above 



78. 



a fust secure execution 
space, and 



secure execution space : An allocated Portion of the Secure Memory within a special- 
purpose secure processing unit which is isolated from the rest of the world, and 
protected from observation by (and encapsulated within) a Tamper Resistant Barrier 
and protected from alteration by the processor. The processor cryptographically 
verifies the integrity of all code loaded from Secure Memory prior to execution, 
executes only the code that the processor has authenticated for its use, and is otherwise 
Secure. 



79. 



at least one arrangement 
within the first tamper 
resistant barrier mat 



arrangement within the first tamper resistant barrier An organization of hardware and 
software which arrangement is located and executed wholly within the fust Tamper 
Resistant Barrier. 

arrangement A collection of things that have been arranged. In context, the term 
requires an organization of hardware and software and data, or hardware and software, 
or hardware and data. 

tamper resistant barrier see item #72 above 



80. 



prevents the first secure 
execution space from 
executing the same 
executable accessed by a 
second secure execution 
space having a second 
tamper resistant barrier 
with a second security 
level different from the 
first security level 



prevents the first secure execution space from executing the same executable accessed 
by a second secure execution space having a second tamper resistant barrier with a 
second security level different from the first security level : "A second secure 
execution space having a second tamper resistant barrier with a second security level 
different from the first security level": a second Secure Execution Space (different 
from the first Secure Execution Space) is part of the Protected Processing 
Environment, and has a Tamper Resistant Barrier (different from the first Tamper 
Resistant Barrier) that has a persistent (not just occasional) Security Level greater 
than or less than the first persistent Security Level. 

"The same executable accessed by*: the same Executable (as opposed to, e.g., two 
copies of the same Executable) is simultaneously accessed by both the first Secure 
Execution Space and the second Secure Execution Space. 

"Prevents the first secure execution space from executing": the arrangement Prevents 
the first Secure Execution Space, otherwise capable of executing the Executable, 
from executing any part of the Executable (e.g., on behalf of any user, process, or 
device). 

prevents : Imposes an active restraint on an action such that it cannot occur by any 
means or under any circumstances. 

access (accessed): see item #29 above 

security level : see item #73 above 
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81. 


58. A method of 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


82. 


creating a first secure 
container, said method 
including the following 
steps; 


creatine a first secure container. This preamble language is a claim limitation. 

Completely forming (as opposed to defining) the Secure Container, within a VDE 
Secure Processing Environ men t(s). 

secure container see item #59 above 


83. 


accessing a descriptive 
data structure, said 
descriptive data structure 
including or addressing 
organization information 
at least in part describing 
a required or desired 
organization of a content 
section of said first secure 
container, and metadata 
information at least in part 
specifying at least one step 
required or desired in 
creation of said first 
secure container; 


including or addressing organization information at least in part describing a required 


or desired organization of a content section of said first secure container , and 


metadata information at least in part specifying at least one step required or desired in 


creation of said first secure container: The same single Descriptive Data Structure 
must either Contain within its confines or Address both Organization Information 
and Metadata Information. 

Both the "desired" organization of the content section and also the "desired" step, 
occur after the Descriptive Data Structure is accessed, not before. 

The Metadata Information explicitly dentifies a procedure ("step") that must be 
executed in creation of the first Secure Container, as opposed to Iidentifying a 
procedure to be run if later required or desired, as opposed to Identifying a result or a 
Data Item to be included in the first Secure Container, and as opposed to identifying 
information which operates as a parameter for a procedure. 

required: A condition without which an action cannot occur. A required condition acts 
prospectively - it does not apply to a description created at or after the creation of the 
object to which it applies. 

access (accessing): see item #29 above 

descriptive data structure: A machine-readable data structure (e.g., text file, template, 
etc.) Containing or Addressing descriptive information (e.g., Metadata, shorthand 
abstract representation, integrity constraints, Rules, instructions, etc.) about (!) the 
layout, generic format, attributes, or hierarchical structure of the contents section of 
one or a family of other data structure(s) (e.g., a rights management data structure), (2) 
the operations or processes used to create or Use such other data structures), and/or 
(3) the consequences of such operations. The Descriptive Data Structure is capable 
of being used to create or handle (e.g., read, locate information within, request 
information from, and/or manipulate) the other data structure^). The Descriptive 
Data Structure is not Associated With the other data structure(s) and does not 
Contain or specify its particular contents (e.g., "Yankees Win the Pennant!"). 

addressing: Referring to something by the specific location where it is stored, without 
directly storing it. The location is explicitly identified by its name or number. 

Organization (organization, organization information): The manner in which data is 
represented and laid out in physical storage. For example, for data organized as 
records: the field hierarchy, order, type and size. 

organize: Representing and laying out data in a particular manner in physical storage. 

metadata information: Information that describes one or more attributes of other data, 
and/or the processes used to create and/or Use that data. For example, Metadata 
Information may describe the following attributes of other data: its meaning, 
representation in storage, what it is used for and by whom, context, quality and 
condition, location, ownership, or its data elements or their attributes (name, size, data 
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type, etc.) 


84. 


using said descriptive 
data structure to organize 
said first secure container 
contents; 


descriptive data structure: see hem #83 above 
including: see item #2 above 
organize: see item #83 above 


85. 


using said metadata 
information to at least in 
part determine specific 
information required to be 
included in said first 
secure container contents; 
and 


at least in part determine specific information required to be included in said first 


secure container contents: The Metadata Information is used to determine the specific 
value, not merely the kind, of at least some of the information that must be placed 
inside the Secure Container. 

The use of the Metadata Information actively requires the Secure Container 
creation steps to add this specific information to the first Secure Container, as 
opposed to the specific information being within the Secure Container for some other 
reason. 

required: see item #83 above 
including (included): see item #2 above 


86. 


generating or identifying 
at least one rule designed 
to control at least one 
aspect of access to or use 
of at least a portion of said 
first secure container 
contents. 


generating or identifying at least one rule designed to control at least one aspect of 


access to or use of at least a portion of said first secure container contents: 


Generating or Identifying Rule designed for these particular Secure Container 
contents, which is used (by VDE Controi(s) executing in VDE Secure Processing 
Environments)) to limit Access to or Use of at least a Portion of the contents of the 
first Secure Container (by all users, processes, and devices). Without compliance 
with this Rule, no process, user, or device is able to take the Controlled aspect of the 
Controlled Access or Use action. 

The Rule is generated or Identified based at least in part on the Descriptive Data 
Structure. 

generating: Producing, 
identifying: see item #19 above 
rule: see item #63 above 
control: see item #17 above 
aspect: see item #64 above 
access: see item #29 above 
use: see item #43 above 
portion: see item #9 above 
secure container see item #59 above 
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87. 


1 . A method for using at 
least one 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


88. 


resource processed in a 
secure operating 
environment at a first 
appliance, said method 
comprising: 


resource processed in a secure operating environment at a first appliance: This 


preamble language is a claim limitation. A shared facility, required by a job or task, of 
a first appliance's Secure Operating Environment which is processed within that 
Secure Operating Environment's special-purpose Secure Processing Unit A Secure 
Processing Unit is a special-purpose unit isolated from the rest of the world in which a 
hardware Tamper Resistant Barrier encapsulates a processor and internal Secure 
Memory. The Tamper Resistant Barrier prevents all unauthorized interference, 
removal, observation, and Use of the information and processes within it. The 
processor cryptographically verifies the integrity of all code loaded from the Secure 
Memory prior to execution, executes only the code that the processor has 
authenticated for its Use, and is otherwise Secure. 

resource processed: A record containing control information, which record is stored 
and acted upon within a processing environment 

secure operating environment: Same as Secure Processing Environment. 


89. 


securefy receiving a first 
entity's control at said first 
appliance, said first entity 
being located remotely from 
said operating 
environment and said first 
appliance; 


securely receiving a first entity's control at said first appliance: This claim laneuaee 
falls within 35 U.S.C. § 112, K 6. It recites a step or result ("Securely receiving") 
without reciting an action that achieves that result The specification does not clearly 
link any particular action to this recited step. Part of the recited function is performed 
by Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 
(particularly "SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: A first appliance obtaining a VDE Secure Container 
encapsulating a Control created, selected, or modified by a first entity, as part of a 
communication encrypted on the communications level, authenticating the first 
appliance in accordance with VDE Controls Associated With the Secure Container, 
and accepting the Secure Container. 

entity: Any person or organization. 

entity's control: Control created, modified, or selected by any person or organization 
to Control a particular Use of or Access to particular Protected information by a 
particular user(s). 

control: see item #17 above 

operating environment: see item #88 above 


90. 


securely receiving a second 
entity *s control at said first 
appliance, said second 
entity being located 
remotely from said 
operating environment and 

cuiH first RTinliaTicp ^aiH 

second entity being different 
from said first entity; and 


securely receiving a second entity's control at said first appliance: This claim language 


falls within 35 U.S.C. § 1 12, 6. It recites a step or result ("securely receiving") 
without reciting an action that achieves that result. The specification does not clearly 
link any particular action to this recited step. Part of the recited function is performed 
by Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 
(particularly "SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: A first appliance obtaining a VDE Secure Container 
encapsulating a Control created, selected, or modified by a second entity, as part of a 
communication encrypted on the communications level, Authenticating the first 
appliance in accordance with VDE Controls Associated With the Secure Container, 
and accepting the Secure Container. 
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entity's control: see item #89 above 
control: see item #17 above 




securely processing a data 
tern at said first appliance, 
using at least one resource, 
including 


securely processing a data item at said first appliance, using at least one resource, 


including : Performing an operation, inside the special-purpose Secure Processing 
Unit of the first appliance, on a Data Item inside the Secure Processing Unit. The 
operation cannot be observed from outside the Secure Processing Unit and is 
performed only after the integrity of the program code for performing such operation is 
cryptographically verified. A Secure Processing Unit is a special-purpose unit isolated 
from the rest of the world in which a hardware Tamper Resistant Barrier 
encapsulates a processor and internal Secure Memory. The Tamper Resistant 
Barrier prevents all unauthorized interference, removal, observation, and Use of the 
information and processes within it The processor cryptographically verifies the 
integrity of all code loaded from the Secure Memory prior to execution, executes only 
the code that the processor has authenticated for its Use, and is otherwise Secure. 

control: see item #17 above 

data item: An individual unit of digital information representing a single value, such 
as that stored in a field of a larger Record in a database. It is the smallest useful unit 
of named information in the system. 

resource: A shared facility of a computing system or operating system, which is 
required by a job or task, and is processed by a processing unit 


92. 


securely applying, at said 
first appliance through use 
of said at least one resource 
said first entity's control 
and said second entity's 
control to govern use of 
said data item. 


securely applying, at said first appliance through use of said at least one resource said 


first entity's control and said second entity's control to govern use of said data item: 


Processing the resource (component part of a first appliance's Secure Operating 
Environment) within the Secure Operating Environment's special-purpose Secure 
Processing Unit to execute the first Control and second Control in combination within 
the Secure Processing Unit This execution of these Controls Governs all Use of the 
Data Item by all users, processes, and devices. The processing of the Resource and 
execution of the Controls cannot be observed from outside the Secure Processing Unit 
and is performed only after the integrity of the Resource and Controls is 
cryptographically verified. A Secure Processing Unit is a special-purpose unit isolated 
from the rest of the world in which a hardware Tamper Resistant Barrier 
encapsulates a processor and internal Secure Memory. The Tamper Resistant 
Barrier prevents all unauthorized interference, removal, observation, and Use of the 
information and processes within it The processor cryptographically verifies the 
integrity of all code loaded from the Secure Memory prior to execution, executes only 
the code that the processor has authenticated for its Use, and is otherwise Secure. 

control: see item #17 above 

data item: see item #91 above 

resource: see item #91 above 

use: see item #43 above 

govern: see Control (v.) item #7 above 
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93. 


155. A virtual 
distribution environment 

comprising 


Claim as a Whole: Hie "virtual distribution environment" is VDE. 
VDE/Virtual Distribution Environment: 


Data Security and Commerce World: InterTrust's February 13, 1995, patent 


application described as its "invention" a Virtual Distribution Environment ("VDE 
invention") for Securing, administering, and auditing all Security and commerce 
digital information within its multi-node world (community). VDE guarantees to all 
VDE "participants" identified in the patent application that it will limit all Access to 
and Use (i.e., interaction) of such information to Authorized activities and amounts, 
will ensure any requested reporting of and payment for such Use, and will maintain the 
availability, secrecy, integrity, non-repudiation and authenticity of all such information 
present at any of its nodes (including Protected content, information about content 
usage, and content Controls.). 

VDE is Secure against at least the threats identified in the Feburary 1995, patent 
application to this availability (no user may delete the information without 
Authorization), secrecy (neither available nor disclosed to unauthorized persons or 
processes), integrity (neither intentional nor accidental alteration), non-repudiation ( 
neither the receiver can disavow the receipt of a message nor can the sender disavow 
the origination of that message) and authenticity (asserted characteristics are genuine). 
VDE further provides and requires the components and capabilities described below. 
Anything less man or different than this is not VDE or the described "invention " 

Secure Processing Environment: At each node where VDE-Protected information is 
Accessed, Used, or assigned control information, VDE requires a Secure Processing 
Environment A Secure Processing Environment is uniquely identifiable, self- 
contained, non-circumventable, and trusted by all other VDE nodes to protect the 
availability, secrecy, integrity and authenticity of all information identified in the 
patent application as being Protected, and to guarantee that such information will be 
Accessed and Used only as expressly Authorized by the associated VDE Controls, 
and to guarantee that all requested reporting of and payments for protected information 
use will be made. A Secure Processing Environment is formed by, and requires, a 
Secure Processing Unit having a hardware Tamper Resistant Barrier encapsulating a 
processor and internal Secure Memory. The Tamper Resistant Barrier prevents all 
unauthorized interference, removal, observation, and other Use of the information and 
processes within it. 

VDE Controls: VDE Allows Access to or Use of Protected information and 
processes only through execution of (and satisfaction of the requirements imposed by) 
independent, special-purpose, Executable VDE Control(s). Each VDE Control is a 
Component Assembly dedicated to a particular activity (e.g., editing, modifying 
another Control, a user-defined action, etc.), particular user(s), and particular 
protected information. Each separate information Access or Use is independently 
Controlled by independent VDE Control(s). A VDE Control can execute only 
within a Secure Processing Environment. Each VDE Control is assembled, within a 
Secure Processing Environment, from independently deliverable modular 
components (e.g., Load Modules or other Controls), dynamically in response to an 
information Access or Use request. The dynamic assembly of a Control is directed by 
a "blueprint" Record (put in place by one or more VDE users) Containing control 
information identifying the exact modular code components to be assembled and 
executed to Govern this particular activity on this particular information by this 
particular user(s). Each Control is independently assembled, loaded and delivered 
vis-a-vis other Controls. Control information and Controls are extensible and can be 
configured and modified by all users, and combined by all users with any other VDE 
control information or Controls (including that provided by other users), subject only 
to "senior" user Controls. Users can assign control information and Controls to all of 
or an arbitrarily fine, user-defined Portion of the Protected information, such as a 
single paragraph of a document, as opposed to being limited to file-based controls. 
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VDE Controls reliably limit Access and Use of the protected information to 
Authorized activities and amounts. 

VDE Secure Container A VDE Secure Container is a self-contained, self-protectina 
data structure which (a) encapsulates information of arbitrary size, type, format, and. 
organization, including other, nested, containers, (b) cryptographically protects that 
information from all unauthorized Access and Use, (c) provides encrypted storage- 
management functions for that information, such as hiding the physical storage 
location(s) of its Protected contents, (d) permits the Association of itself and/or all of 
or arbitrary Portions of its contents with Controls and control information Governing 
Access to and Use thereof, and (e) Prevents such Use or Access (as opposed to merely 
Preventing decryption) until it is opened. A Secure Container Can Be opened only 
as expressly Allowed by the associated VDE Control(s), only within a Secure 
Processing Environment, and only through decryption of its encrypted header. A 
Secure Container is not directly accessible to any non-VDE calling process. All such 
calls are intercepted by VDE. The creator of a Secure Container can assign (or allow 
others to assign) control information to all of or any arbitrary Portion of a Secure 
Container's contents, or to an empty Secure Container (to Govern the addition of 
contents to the Secure Container, and Access to or Use of those contents). A 
container is not a Secure Container merely because its contents are encrypted and 
signed. All VDE-Protected information (including protected content, information 
about content usage, and Controls) is encapsulated within a Secure Container 
whenever stored outside a Secure Processing Environment or Secure Database. 

Non-Circumventable: VDE is non-circumventable (sequestered). It intercepts all 
attempts by any and all users, processes, and devices, to Access or Use, such as 
observing, interfering with, or removing) Protected information, and Prevents all 
such attempts other than as Allowed by execution of (and satisfaction of all 
requirements imposed by) Associated VDE Controls within Secure Processing 
Environments). 

Peer to Peer VDE is Deer-to-peer. Each VDE node has the innate ability to perform 
any role identified in the patent application (e.g., end user, content packager, 
distributor, Clearinghouse, etc.), and can protect information flowing in any direction 
between any nodes. VDE is not client-server. It does not pre-designate and restrict 
one or more nodes to act solely as a "server" (a provider of information (e.g., authored 
content, control information, etc.) to other nodes) or "client* ' (a requestor of such 
information). All types of protected-content transactions can proceed without 
requiring interaction with any server. 

Comprehensive Ranee of Functions: VDE comprehensively Governs all Security 
and commerce activities identified in the patent application, including (a) metering, 
budgeting, monitoring, reporting, and auditing information usage, (b) billing and 
paying for information usage, and (c) negotiating, signing and enforcing contracts that 
establish users' rights to Access or Use information. 

User-Configurable: The specific protections Governing specific VDE-Protected 
information are specified, modified, and negotiated by VDE's users. For example, 
VDE enables a consumer to place limits on the nature of content that may be accessed 
at her node (e.g., no R-rated material) or the amount of money she can spend on 
viewing certain content, both subject only to other users* senior Controls. 

General Purpose; Universal: VDE is universal as opposed to being limited to or 
requiring any particular rype or appliance, mioiiiiauon, or curniucrcc muuci. n is a 
single, unified standard and environment within which an unlimited range of electronic 
rights protection, data Security, electronic currency, and banking applications can run. 

Flexible: VDE is more flexible than traditional information Security and commerce 



EXHIBIT A TO JOINT CLAJM. CONSTRUCTION STATEMENT 
Page 29 of 37 





*900 Claim 155 


MS Construction 






systems. For example, VDE allows consumers to pay for only the user-defined 
Portion of information that the user actually uses, and to pay only in proportion to any 
quantifiable VDE event (e.g., for only the number of paragraphs displayed from a 
book), and allows editing the content in VDE containers while maintaining its 
Security. 


94. 


a first host processing 
environment comprising 


a first host processine environment comprising: A Host Processing Environment 


that encompasses the recited computer hardware (central processing unit, main 
Memory, and mass storage) and certain VDE Protected Processing Environment 
software loaded in that main Memory and executing in that central processing unit, 
but does not encompass software, such as the recited Tamper Resistant Software, 
which is stored in mass storage and not executing. 

host processing environment: A processing environment within a VDE node which is 
not a Secure Processing Environment A "host processing environment" may either 
be "secure" or "not secure." A "secure host processing environment" is a self- 
contained Protected Processing Environment, formed by loaded, Executable 
programming executing on a general purpose CPU (not a Secure Processing Unit ) 
running in protected (privileged) mode. A "non-secure host processing environment" 
is formed by loaded, Executable programming executing on a general purpose CPU 
(not a Secure Processing Unit) running in user mode. 


95. 


a central processing unit; 




96. 


main memory operatively 
connected to said central 
processing unit; 


memory: see item #3 above 


97. 


mass storage operatively 
connected to said central 
processing unit and said 
main memory; 


memory: see item #3 above 


98. 


said mass storage storing 
tamper resistant software 


said mass storage storing tamper resistant software: The Tamper Resistant Software 


is physically stored within, as opposed to being merely Addressed by, the mass 

tamper resistant software: Software that is encapsulated and executed wholly within a 
Tamper Resistant Barrier. 


99. 


designed to be loaded into 
said main memory and 
executed by said central 
processing unit, 


designed to be loaded into said main memory and executed by said central processing 


unit: The Tamper Resistant Software is capable of being loaded into only said main 
Memory and is capable of being executed only by said central processing unit. 


100 


said tamper resistant 
software comprising: 
machine check 
programming which 
derives information from 
one or more aspects of said 
host processing 
environment, one or more 
storage locations storing 
said information; 


said tamper resistant software comprising: machine check programming which derives 


information from one or more aspects of said host processing environment, one or 


more storage locations storing said information: The Tamper Resistant Software 


within said mass storage includes one or more storage locations within it. These 
storage locations are designated to store, and must store, information Derived by the 
Machine Check Programming, and must not store any other information. 

machine check programming: Executable programming that when executed checks a 
machine and generates a unique "machine signature" which distinguishes the physical 
machine from all other machines. This machine check programming code sometimes 
is invoked by integrity programming. 

host processing environment: see item #94 above 
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aspect: see item #64 above 


101. 


derives information from 
one or more aspects of said 
host processing 
environment 


derives information from one or more aspects of said host processing environment: 


Deriving from the Host Processing Environment hardware one or more values that 
uniquely and persistently Identify the Host Processing Environment and distinguish 
it from other Host Processing Environments. 

The "one or more aspects of said host processing environment" are persistent elements 
or properties of the Host Processing Environment itself that are capable of being 
used to distinguish it from other environments, as opposed to, e.g., data or programs 
stored within the mass storage or main Memory, or processes executing within the 
Host Processing Environment. 

host see item #94 above 
derives: see item #100 above 
aspect see item #64 above 


102, 


one or more storage 
locations storing said 
information; 


One or more storage locations: One or more logical storage locations within the 
Tamper Resistant Software storing only information Derived by the Machine Check 
Programming. 


103. 


integrity programming 
which causes said machine 
check programming to 
derive said information, 
compares said information 
to information previously 
stored in said one or more 
storage locations, and 


integrity programming: Executable programming that when executed checks and 
reports on the integrity of a device or process. "Integrity" means the property that 
information has not been altered either intentionally or accidentally. 

information previously stored in said one or more storage locations: Any information 


once stored in said "one or more storage locations storing said information," but not 
stored therein when the recited comparison occurs. 

information previously stored: Information that once was stored but is no longer 
stored. 

derive: see item #100 above 

compares: A processor operation that evaluates two quantities and sets one of three 
flag conditions as a result of the comparison - greater than, less than, or equal to. 


104 


generates an indication 
based on the result of said 
comparison, and 


generates an indication based on the result of said comparison: Producing an 


indication based on the result of the "compares" step. The "indication" need not be 
displayed to a user. The indication is based solely on that result. There are only two 
possible indications: exact match found or exact match not found. 

comparison: see item #103 above 


105 


programming which takes 
one or more actions based 
on the state of said 
indication; 


programming which takes one or more actions based on the state of said indication: 


Executable programming code that is a part of the Tamper Resistant Software, when 
executed, and not a part of the Host Processing Environment. Whenever the recited 
indication is generated, no matter what it indicates, this code (executing on the CPU 
for which it was designed and loaded in the Memory for which it was designed) must 
take an action, or more than one action. The particular action(s) taken must be based 
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solely on the state of that indication. 


106, 


said one or more actions 
including at least 
temporarily hating further 
processing. 


at least temporarily halting further processing: The action(s) taken bv this 


programming must encompass Halting or temporarily Halting all further processing 
of the Host Processing Environment and any processes running within it 

halting: Stopping execution of a running (executing) process unconditionally (i.e., 
without providing any specific condition for resumption). For example, executing an 
instruction known as a "breakpoint hah instruction." 
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107, 


8. A process comprising 
the following steps: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


108. 


accessing a first record 
containing information 
directly or indirectly 
identifying one or more 
elements of a first 
component assembly, 


record: A data structure that is a collection of fields (elements), each with its own 
name and type. Unlike an array, whose elements are accessed using an index, the 
elements of a record are accessed by name. A record can be accessed as a collective 
unit of elements, or the elements can be accessed individually. 

identifying: see item #19 above 

access: see item #29 above 

comparison: see item #103 above 

component assembly: A cohesive Executable component created by a channel which 
binds or links together two or more independently deliverable Load Modules, and 
Associated data. A Component Assembly is assembled, and executes, only within a 
VDE Secure Processing Environment. A Component Assembly is assembled 
dynamically in response to, and to service, a particular content-related activity (e.g., a 
particular Use request). Each VDE Component Assembly is assigned and dedicated 
to a particular activity, particular user(s), and particular Protected information. Each 
Component Assembly is independently assembled, loadable and deliverable vis-^-vis 
other Component Assemblies. The dynamic assembly of a Component Assembly is . 
directed by a blueprint" Record Containing Control information for this particular 
activity on this particular information by mis particular user(s). Component 
Assemblies are extensible and can be configured and reconfigured (modified) by all 
users, and combined by all users with other Component Assemblies, subject only to 
other users* "senior" Controls. 


109 


at least one of said 
elements including at least 
some executable 
programming, 


executable programming: 

Executable: A cohesive series of machine code instructions in a format that can be 
loaded into Memory and run (executed) by a connected processor. 

executable programming: A cohesive series of machine code instructions, comprising 
a computer program, in a format that can be loaded into Memory and run (executed) 
by a connected processor. (A "computer program" is a complete series of definitions 
and instructions that when executed on a computer will perform a required or 
requested task.) 

including: see item #2 above 


110 


at least one of said 
elements constituting a' 
load module, 


- load module: see item #72 above 

■ 


111 


said load module 
including executable 
programming and a 
header; 


load module: see item #72 above 

including: see item #2 above 

eveentaHle nro Pram m in p " qpp itptn #109 above 


112 


said header including an 
execution space identifier 
identifying at least one 
aspect of an execution 
space required for use 


identifying at least one aspect of an execution space required for use and/or execution 


of the load module: Defining fully, without reference to any other information, at least 
one of the persistent elements or properties (aspects) (that are capable of being used to 
distinguish it from other environments of an Execution Space) that are Required for 
any Use, and/or for any execution, of the Load Module. An Execution Space without 
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and/or execution of the 
load module associated 
with said header, 


all of those Required aspects is incapable of making any such execution and/or other 
Use (e.g., Copying, displaying, printing) of the Load Module, 
including: see item #2 above 

execution space identifier A value that uniquely identifies a particular execution 
space. 

execution space: A processor-addressable physical Memory into which data and 
Executable code can be loaded, which is assigned to a single executing process while 
that process is actively executing. Memory holding "swapped out" processes or 
Executables is not part of an "execution space." 

load module: see item 1 10 above 

required: see item #83 above 

aspect: see item #64 above 

associated with: see item #4 above 

identifying: see item #19 above 


113, 


said execution space 
Identifier provides the 
capability for 
distinguishing between 
execution spaces providing 
a higher level of security 
and execution spaces 
providing a lower level of 
security; 


said execution space identifier provides the capability for distinguishing between 


execution spaces providing a higher level of security and execution spaces providing a 


lower level of security: The Execution Space Identifier, by itself, provides the Load 
Module with the capability of determining the persistent Level of Security of any 
Execution Space in which it is loaded, and of distinguishing between any two 
Execution Spaces based on their respective, determined persistent (not just occasional) 
"Levels Of Security." This capability extends to at least two Execution Spaces 
providing a higher Level of Security and at least two Execution Spaces providing a 
lower Level of Security. 

execution space identifier see item #1 12 above 

execution space: see item #112 above 

level of security: see Security Level, item #73 above 


114 


using said information to 
identify and locate said 
one or more elements; 


identify: see item #19 above 


115 


accessing said located one 
or more elements; 


access: see item #29 above 


116 


securely assembling said 
one or more elements to 
form at least a portion of 
said first component 
assembly; 


securely assembling: Securely (1) linking or binding plural distinct elements together 
in a particular manner (specified by authenticated assembly instructions) into a single 
cohesive Executable unit so the elements can directly reference each other element 
within the resulting assembly, within a VDE Secure Processing Environment, (2) 
validating and verifying the authenticity and integrity of each element (e.g., that it has 
not been modified from or substituted for the correct element) immediately prior to 
binding it into the assembly, and (3) ensuring that the elements are linked together 
only in ways that are intended by the VDE participants who created the elements 
and/or specified the assembly thereof. 

component assembly: see item #108 above 


117 


executing at least some of 
said executable 
programming; and 


executable programming: see item #109 above 
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118 


checking said record for 
validity prior to performing 
said executing step. 


checking said record for validity prior to performing said executing step: Before 


executing any Executable Programming encompassed within any element which is 
directly or indirectly identified by any information Contained within the first 
Record, evaluating, within a VDE Secure Processing Environment, the values and 
formats of all data fields within the first Record and confirming that they have 
legitimate values and formats. 

record: see item #108 above 

validity: The state in which authenticated data conforms to predetermined 
completeness and consistency parameters. 
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119. 


35. A process comprising 
the fcrilowing steps: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


120. 


at a first processing 
environment receiving a 
first record from a second 
processing environment 
remote from said first 
processing environment; 


processing environment A standardized, well-defined, self-contained, computing 
base, formed by hardware and executing code, that provides an "interface" and set of 
resources which can support different applications, on different types of hardware 
platforms. In the context of claim 35 of the *912 patent: a Secure Processing 
Environment. 

record: see hem #108 above 


121. 


said first record being 
received in a secure 
container, 


received in a secure container The first Processing Environment obtained a VDE 
Secure Container encapsulating the Record inside, and authenticated the intended 
recipient in accordance with VDE Controls Associated With the Secure Container, 
and accepted the Secure Container. 

secure container, see item #59 above 


122. 


said first record containing 
identification information 
directly or indirectly 
identifying one or more 
elements of a first 
component assembly; 


containing: see item #60 above 
identifying: see item #19 above 
component assembly: see item #108 above 


123. 


at least one of said 
elements including at least 
some executable 
programming; 


including: see item #2 above 


124. 


said component assembly 
allowing access to or use 
of specified information; 


said component assembly allowing access to or use of specified information: The 


Component Assembly identifies specific information (the specific value, not merely 
the kind of information) over which it (by itself and with no other information), 
executing in a VDE Secure Processing Environment, Allows Access or Use (as 
opposed to Access "and" Use). Unless Allowed by the Component Assembly, no 
user, process, or device is able to Access or Use the specified information. The 
Component Assembly is Associated With and dedicated to this particular specified 
information. 

component assembly: see item #108 above 
allow (allowing): see item #10 above 
access: see item #29 above 


125 


said secure container also 
including a first of said 
elements; 


secure container: see item #59 above 
including: see item #2 above 


126 


accessing said first record; 


access: see item #29 above 
record: see item #108 above 


127 


using said identification 
information to identify and 
locate said one or more 
elements; 


identify: see item #19 above 
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said locating step including 
locating a second of said 
elements at a third 
processing environment 
located remotely from said 
first processing 
environment and said 
second processing 
environment; 


processing environment: see item #120 above 


129. 


accessing said located one 
or more elements; 


access (accessing): see item #29 above 


130, 


said element accessing step 
including retrieving said 
second element from said 
third processing 
environment; 




131. 


securely assembling said 
one or more elements to 
form at least a portion of 
said first component 
assembly specified by said 
first record; and 


said first component assembly specified by said first record: The first Record bv itself 
Contains sufficient information to unambiguously Identify the assembled 
Component Assembly, including all of its elements. 

This limitation is inconsistent with the recitation "first record containing identification 
information directly or indirectly identifying one or more elements of first component 
assembly." 

securely assembling: see item #1 16 above 
component assembly: see item #108 above 
record: see item #108 above 


132. 


executing at least some of 
said executable 
programming, 


executable programming: see item #109 above 


133. 


said executing step taking 
place at said first 
processing environment. 


processing environment: see item #120 above 
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Claim Term / Phrase 


Agreed Construction 


Entity 
891.1 


Any person or organization. 


Generating 
861.58 


Producing. 


Govern, governed, governing 
891.1,683.2 


See Control (v.). 


Metadata information 
861.58 


Information.that describes one or more attributes of other data, and/or the processes 
used to create and/or use that data. For example, metadata information may describe 
the following attributes of other data: its meaning, representation in storage, what it is 
used for and by whom, context, quality and condition, location, ownership, or its data 
elements or their attributes (name, size, data type, etc.) 


Rendering 

193.11, 193.15, 193.19 


In the context of 193.1 1, 15 and 19: Playing content through an audio output (e.g., 
speakers) or displaying content on a video output (e.g., a screen). 


Secure container rule 
683.2 


A Rule that Governs a Secure Container Governed Item. 


Security 
721.1,721.34 


See Secure. 


Tampering 

683.2, 721.1,721.34, 900.155 


Using (e.g., observing or altering) in any unauthorized manner, or interfering with 
authorized use. 


"said mass storage, storing tamper 
resistant software" 

900.155 


The Tamper Resistant Software is physically stored within, as opposed to being merely 
Addressed by, the mass storage. 


"including using said key to 
decrypt at least a portion of said 
first digital file" 

193.19 


The "at least one use of said digital file" must encompass decrypting at least a Portion 
of the Digital File using the Key. 



Notation: 

Each term is followed by a list of the claims in which it appears (e.g., "193.15" means claim 15 from the '193 patent). 

'193 patent = U.S. Patent No. 6,253,193 

'683 patent = U.S. Patent No. 6,185,683 

'721 patent = U.S. Patent No. 6,157,721 

'891 patent = U.S. Patent No. 5,982,891 

'861 patent = U.S. Patent No. 5,920,861 

'912 patent = U.S. Patent No. 5,917,912 

'900 patent = U.S. Patent No. 5,892,900 
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PLR 4-3(b) - Intel-Trust's Construction of Disputed Terms & Phrases 



Claim Term / Phrase 


InterTrust Construction 


access, accessed, access to, 
accessing 

193.15, 193.19,912.8,912.35, 
861.58, 683.2, 721.34 


To obtain something so it can be used. 


addressing 
861.58 


Referring by specific location or individual name to something without directly storing 
it. 


allowing, allows 

912.35, 193.1, 193.11, 193.15, 
193.19 


Normal English: permitting, permits; letting happen, lets happen. 


arrangement 
721.34 


Normal English: a collection of things that have been arranged. In context, the term 
can apply to an organization of hardware and/or software and/or data. 


aspect 

900.155,912.8, 861.58, 683.2 


Feature, element, property or state. 


associated with 

912.8, 193.1, 193.11, 193.15, 
683.2 


Having a relationship with. 


authentication 
193.15 


Identifying (e.g., a person, device, organization, document, file, etc.). Includes 
uniquely identifying or identifying as a member of a group. 


authorization information, 
authorized, not authorized 

193.15,193.19 


Authorize: Normal English: permit. 

Authorization Information: Information (e.g., a key) received if an action is 
Authorized. 

Information: nonaccidental signal(s) or character(s) used in a computer or 
communication system. Information includes programs and also includes data. 


budget control; budget 
193.1 


Budget: Information specifying a limitation on usage. See Authorization Information 
for the definition of Information. 

Budget control: The term is explicitly defined in the claim as a Control "including a 
budget specifying the number of copies which can be made of said digital file." 


can be 
193.1 


Normal English: the specified act is able or authorized to be carried out. In context, 
this means the number of copies allowed to be made. 


capacity 
683.2 


Normal English: "ability," or "capability. " 


clearinghouse 
193.19 


A provider of financial and/or administrative services for a number of Entities; or an 
entity responsible for the collection, maintenance, and/or distribution of materials, 
information, licenses, etc. 
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Claim Term / Phrase 


InterTrust Construction 


compares, comparison 
900.155 


Normal English: 

Compares: examines for the purpose of noting similarities and differences. 
Comparison: the act of comparing. 


component assembly 
912.8,912.35 


Components are code and/or data elements that are independently deliverable. A 
Component Assembly is two or more components associated together. Component 
Assemblies are utilized to perform operating system and/or applications tasks. 


contain, contained, containing 

OOJ.£, 71^<0, 


Normal English: to have within or to hold. In the context of an element contained 
within a data structure (e.g., a secure container), the contained element may be either 
directly within the container or the container may hold a reference indicating where the 
element may be found. 


wi/uuui V u v 

193.1, 193.11, 193.15, 193.19, 
891.1 


Information and/or programming Governing onerarion<L on or uqp nf Rp^nnrrp^ o 
content) including (a) permitted, required or prevented operations, (b) the nature or 
extent of such operations or (c) the consequences of such operations. 


controlling, control (v.) 
861.58, 193.1 


Normal English: to exercise authoritative or dominating influence over; direct. 


/*/"\niAs4 'flip 

cupicu 111C 

193.11 


A T*)io-ito1 J*i1a tVtat Vtac H#*pn f\Y\\&A nnH ic ncaVklp 
f\ LJ F11C Ulal llao UCCI1 V^UJJICU allU la UoaUlC. 


copy, copied, copying 
193.1, 193.11, 193.15, 193.19 


Reproduce, reproduced, reproducing. The reproduction must be usable, may 
incorporate all of the original item or only some of it, and may involve some changes 
to the item as long as the essential nature of the content remains unchanged. 


copy control 
193.1 


A Control used to determine whether a Digital File may be Copied and the Copied 
Digital File stored on a second device. 


data item 
891.1 


A unit of digital information. 


derive, derives 
900.155 


Normal English: obtain, receive or arrive at through a process of reasoning or 
deduction. In the context of computer operations, the "process of reasoning or 
deduction" constitutes operations carried out by the computer. 


descriptive data structure 
861.58 


Machine-readable description of the layout and/or contents of a rights management 
data structure (e.g., a Secure Container). 


designating 
721.1 


Normal English: indicating, specifying, pointing out or characterizing. 


device class 
721.1 


A group of devices which share at least one attribute. 


digital file 

193.1, 193.11, 193.15, 193.19 


A named collection of digital information. 


digital signature, digitally signing 
721.1 


Digital signature: A digital value, verifiable with a Key, that can be used to determine 
the source and/or integrity of a signed item (e.g., a file, program, etc.). 

Digitally signing is the process of creating a digital signature. 
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Claim Term / Phrase 


InterTrust Construction 


entity's control 
891.1 


Entity's Control: Control belonging to or coming from an Entity. See list of Agreed 
construe uons ior aenmnon oi unary. 


environment 

912.35,900.155, 891.1,683.2, 
721.34 


Capabilities available to a program running on a computer or other device or to the 
user of a computer or other device. Depending on the context, the environment may 
oe ui a single uevice v^*S*> a personal compuicj } vi may uc apicau aiuuug muuipiw 
devices (e.g., a network). 


executable programming, 
executable 

912.8,912.35, 721.34 


A computer program that can be run, directly or through interpretation. 


execution space, execution space 
identifier 

912.8 


Execution space: Resource which can be used for execution of a program or process. 

Execution space identifier: Information Identifying an Execution Space. See 
Authorization Information for definition of Information. 


governed item 
683.2 


Governed Item: an item that is Governed. See list of Agreed Constructions for the 
definition of Governed. 


halting 
900.155 


Normal English: suspending. 


host processing environment 
900.155 


This term is explicitly defined in the claim and therefore needs no additional 
definition. It consists of those elements listed in the claim. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: a Protected Processing 
Environment incorporating software-based Security. 


identifier, identify, identifying 

193.11, 193.15,912.8,912.35, 
861.58 


Identifier: Information used to Identify something or someone (e.g., a password). 

Identify/identifying: Normal English: To establish/establishing the identity of or to 
ascertain/ascertaining the origin, nature, or definitive characteristics of; includes 
identifying as an individual or as a member of a group. 


including 

193.1 (at 320:63, and 321:3); 
193.19 (at 324:15); 

912.8 (at 327:36,39, and 41); 
912.35 (330:35 and 39); 
861.58 (at 26:53 and 63); and 

683.2 (at.63:60). 


Normal English: Depending on the context, this means: part of or storing within, as 
opposed to Addressing. 


information previously stored 
900.155 


Normal English: Information stored at an earlier time. See Authorization Information 
for the definition of Information. 


integrity programming 
900.155 


This term is fully defined in the claim, which specifies the steps the integrity 
programming must perform. Integrity programming is programming that performs the 
recited steps. The term therefore needs no additional definition. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: programming that 
checks the integrity of a Host Processing Environment. 
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Claim Term / Phrase 


InterTrust Construction 


key 
193.19 


Information used to encrypt, decrypt, sign or verify other information. 


load module 
912.8,721.1 


An Executable unit of code designed to be loaded into memory and executed, plus 
associated data. 


machine check programming 
900.155 


Programming that checks a host processing environment and derives information from 
an Aspect of the Host Processing Environment. 


opening secure containers 
683.2 


Providing Access to the contents of a Secure Container (e.g., by decrypting the 
contents, if the contents are encrypted). 


operating environment 
891.1 


Environment in which programs function. 


organization, organization 
information, organize 

861.58 


In the context of organization of a Secure Container, these terms describe contents 
required or desired (including Information used to categorize these contents); or 
Information used to specify a particular location for content. See Authorization 
Information for the definition of Information. 


193.1, 193.11, 193.15, 193.19, 
912.8,912.35,861.58 


Normal Fneli^h - a nart of a whole The rjresence of a "oortion" does not exclude the 
presence of the whole (e.g., storage of an entire file necessarily includes storage of any 
portions into which that file may be subdivided). 


prevents 


Normal English: keeps from happening. 


processing environment 


Processing: manipulating data. 

Processing Environment: An Environment used for Processing. A Processing 
Environment may be made up of one device or of more than one device linked 
together. 


protected processing environment 
721.34, 683.2 


Processing Environment in which processing and/or data is at least in part protected 
from Tampering. The level of protection can vary, depending on the threat. 


protecting 
683.2 


Normal English: keeping from being damaged, attacked, stolen or injured. 


record (n.) 
912.8,912.35 


Collection of related items of data treated as a unit. 


required 
912 8 861 58 


Normal English: a thing that is required is a thing that is obligatory or demanded. 


resource processed 
891.1 


Resource: computer software, computer hardware, data, data structure or information. 

Resource processed: a Resource subject to being Processed, i.e., computer software, 
data, data structure or information. See Processing Environment for a definition of 
Processed. 


rule 

861.58, 683.2 


See Control. 
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Claim Term / Phrase 


InterTrust Construction 


secure 

193.1, 193.11, 193.15,912.35, 
861.58, 891.1,683.2, 721.34 


One or more mechanisms are employed to prevent, detect or discourage misuse of or 
interference with information or processes. Such mechanisms may include 
concealment, Tamper Resistance, Authentication and access control. Concealment 
means that it is difficult to read information (for example, programs may be 
encrypted). Tamper Resistance and Authentication are separately defined. Access 
control means that Access to information or processes is limited on the basis of 
authorization. Security is not absolute, but is designed to be sufficient for a particular 
purpose. 


secure container 
912.35,861.58,683.2 


Container: Digital File Containing linked and/or embedded items. 
Secure Container: A Container that is Secure. 


secure container governed item 
683.2 


Information and/or programming Contained in a Secure Container and Governed by an 
associated Secure Container Rule. 


secure database 
193.1, 193.11, 193.15 


Database: an organized collection of information. 
Secure Database: Database that is Secure. 


secure execution space 


Execution Space that is Secure. 


secure memory, memory 
193.1, 193.11, 193.15 


Memory: A medium in which data (including executable instructions) may be stored 
and from which it may be retrieved. "Memory" includes "virtual memory." 

Secure Memory: Memory in which Information is handled in a Secure manner. See 
Authorization Information for the definition of Information. 


secure operating environment, 
said operating environment 

891.1 


An Operating Environment that is Secure. 


securely applying 
891.1 


Requiring that one or more Controls be complied with before content may be used. 
The operation of requiring that the Control(s) be complied with must be carried out in 
a Secure manner. 


securely assembling 
912.8,912.35 


Associating two or more Components together to form a Component Assembly, in a 
Secure manner. See Component Assembly for the definition of Component. 


securely processing 
891.1 


Processing occurring in a Secure manner. See Processing Environment for the 
definition of Processing. 


securely receiving 
891.1 


Receiving has its normal English meaning: acquiring or getting. 
Securely Receiving means receipt occurring in a Secure manner. 


security level, level of security 
721.1; 721.34,912.8 


Information that can be used to determine how Secure something is (e.g., a device, 
Tamper Resistant Barrier or Execution Space). 


tamper resistance 
721.1,721.34,900.155 


Making Tampering more difficult and/or allowing detection of Tampering. 


tamper resistant barrier 
721.34 


Hardware and/or software that provides Tamper Resistance. 
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Claim Term / Phrase 


InterTrust Construction 


tamper resistant software 
900.155 


Software designed to make it more difficult to Tamper with the software and/or allow 
detection of tampering. 


use 

912.8,912.35,861.58, 193.19, 
891.1,683.2, 721.1 


Normal English: to put into service or apply for a purpose, to employ. 


user controls 
683.2 


Hardware feature of an apparatus allowing a user to operate the apparatus (e.g., a 
keyboard). 


validity 
912.8 


A property of something (e.g., a Record) indicating that it is appropriate for use. 


virtual distribution environment 
900.155 


This term is contained in the preamble of the claim and should not be defined, other 
than as requiring the individual claim elements. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: secure, distributed 
electronic transaction management and rights protection system for controlling the 
distribution and/or other usage of electronically provided and/or stored information. 


'193:1 


The claim contains no requirement of a VDE. 


receiving a digital file including 
music 


See Receiving a digital file (193.1 1). This phrase is interpreted the same, except that 
the file includes music. 


a budget specifying the number of 
copies which can be made of said 
digital file 


Normal English, incorporating the separately defined terms: a Budget stating the 
number of Copies that Can Be made of the Digital File referred to earlier in the claim. 


controlling the copies made of 
said digital file 


The nature of this operation is further defined in later claim elements. In context, the 
Coov Control determines the conditions under which a Digital File mav he CnnieH and 
the Copied File stored on a second device. 


deterniining whether said digital 
file may be copied and stored on a 
second device based on at least 
said copy control 


Normal English, incorporating the separately defined terms: Using the Copy Control 
in deciding whether the Digital File referred to earlier in the claim may be Copied and 
the Copied Digital File stored on a second device. 


if said copy control allows at least 
a portion of said digital file to be 
copied and stored on a second 
device 


Normal English: a "yes" result is received in the step Determining whether said digital 
file may be copied and stored on a second device based on at least said copy control 
(193.1). 


copying at least a portion of said 
digital file 


Normal English, incorporating the separately defined terms: Copying at least a Portion 
of the Digital File referred to earlier in the claim. 


transferring at least a portion of 
said digital file to a second device 


Normal English, incorporating the separately defined terms: at least a Portion of the 
Copied Digital File is sent to a second device. 


storing said digital file 


Normal English: that which was transferred in the transferring step is stored. 


'193:11 


The claim contains no requirement of a VDE. 


receiving a digital file 


Normal English, incorporating the separately defined term: a Digital File is obtained. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 
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Claim Term / Phrase 


InterTrust Construction 




Claim elements specifying the act of receiving a file, or the act of establishing 
communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 

OntSlTlinP 3 TIlP C\T pommilTlir'gtlTIO tVlTfMlcrh tplprAmmi mirotinnr tirilr citoHi^-A 
ui/uiiuiiig a aiis* \ji wuiiuumiiwaujLig uuuugii LCicisUilUllULiiiCdUOIlo ililKo, Satellite 

transmissions, physical exchange of media, network transmissions, etc. 


HptprminirtP whether ^aid dipital 
file may be copied and stored on a 
second device based on said first 
control 


i^Kjiuiai xjiigiiMi, muui jjuiallllg UIC dCpaialCJy UC1U1CU icriTlS. USUlg IDc L-OntrOl 10 

decide whether the Digital File may be Copied and the Copied Digital File stored on 
the second device. 


identifying said second device 


Normal English, incorporating the separately defined term: the second device is 
Identified. 


WnCUlCl adlU llibl COHuOJ aiJUWS 

transfer of said copied file to said 
second device 


Normal English, incorporating the separately defined terms: Using the first Control to 
decide if the Copied Digital File may be sent to the second device. 


said determination based at least 

m narf rvn trip tIpofiitpc t^tpc pnt sit 
LLJ UdJ l Uli LUC ICalUJLCd piCdClil a. 1 

the device 


Normal English: the decision referred to earlier in the claim is based at least in part on 
Luaxaciciisucs oi me second oevice. 


11 SalQ IIXM CunuTUl aliOWb dl lCaM 

a portion of said digital file to be 
copied and stored on a second 
device 


See "If said copy control allows at least a portion of said digital file to be copied and 
stored on a second device" (193.1). The definitions are the same. 


copying at least a portion of said 
digital file 

Ul&IUII 111 v 


See "Copying at least a portion of said digital file" (193. 1). The definitions are the 
same. 


transferrins at least a Dortion of 
said digital file to a second device 


Spp "TYancfprrincx at Ipnct a «r>rtirvn r\f caiH Hioital fil^ tr\ *» car* r\-r\A Xovi/Mi" nOI l\ *TU« 

i loiiaicii nig aL icaol a puiiiun oi bdiu uigiiai me to a second oevice [lyj.i), l ne 
definitions are the same. 


storing said digital file 


See "Storing said Hioitfll flip" C\ 0^ 1 ^ Thp Hpfirntinnc nrp tVip como 
tJivi nig jaiu uigiiai iiic yiyj.i j. I lie UCllillLlUilo alC lilc oojIjc. 


'193:15 


The claim contains no requirement of a VDE. 


receiving a digital file 


See "Receiving a digital file" (193.1 1). The definitions are the same. 


an authentication step comprising: 


Normal English, incorporating the separately defined term: a step involving 
Authentication. 


accessing at least one identifier 

a<;$rvf iateH with a first Hpvipp rvr 

with a user of said first device 


Normal English, incorporating the separately defined terms: Accessing an Identifier 

rvsaUUdlcu Wlui d UcVlCc or a USci OI uie dcVlCC 


determining whether said 
identifier is associated with a 
device and/or user authorized to 
store said digital file 


Normal English, incorporating the separately defined terms: deciding whether the 
Identifier is Associated With a device or user with authority to store the Digital File. 


storing said digital file in a first 
secure memory of said first 
device, but only if said device 
and/or user is so authorized, but 
not proceeding with said storing if 
said device and/or user is not 
authorized 


Normal English, incorporating the separately defined terms: this step proceeds or does 
not proceed based on the preceding determining step. If this step proceeds, the Digital 
File is stored in a Secure Memory of the first device. 


storing information associated 
with said digital file in a secure 
database stored on said first 
device, said information including 


Normal English, incorporating the separately defined terms: storing a Control 
Associated With the Digital File in a Secure Database stored at the first device. 
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Claim Term / Phrase 


InterTrust Construction 


at least one control 




determining whether said digital 
file may be copied and stored on a 
second device based on said at 
least one control 


See "Determining whether said digital file may be copied and stored on a second 
device based on at least said copy control" (193.1). The definitions are the same. 


if said at least one control allows 
at least a portion of said digital 
file to be copied and stored on a 
second device, 


See "If said first control allows at least a portion of said digital file to be copied and 
stored on a second device" (193.1 1). The definitions are the same. 


copying at least a portion of said 
digital file 


bee Copying at least a portion oi saia Qigixai me yiyj.i), ine aeiimuous are uie 
same. 


transferring at least a portion of 
said digital file to a second device 


See "Transferring at least a portion of said digital file to a second device" (193.1) The 
definitions are the same. 


storing said digital file 


See "Storing said digital file" (193.1) The definitions are the same. 


'193:19 


The claim contains no requirement of a VDE. 


receiving a digital file at a first 
device 


See "Receiving a digital file" (193.1 1). The definitions are the same. 


establishing communication 
between said first device and a 
clearinghouse located at a location 
remote from said first device 


Normal English, incorporating the separately defined term: sending information from 
the first device to the Clearinghouse and/or the first device receiving information from 
the Clearinghouse. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 

Claim elements specifying the act of receiving a file, or the act of establishing 
communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions, physical exchange of media, network transmissions, etc. 


using said authorization 
information to gain access to or 
make at least one use of said first 
digital file 


Normal English, incorporating the separately defined terms: the Authorization 
Information is used in a process of Accessing or Using the Digital File. 


receiving a first control from said 
clearinghouse at said first device 


Normal English, incorporating the separately defined terms: the first device acquires 
or gets a Control from the Clearinghouse. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 

Claim elements specifying the act of receiving a file, or the act of establishing 
communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions, physical exchange of media, network transmissions, etc. 


storing said first digital file in a 
memory of said first device 


Normal English, incorporating the separately defined terms: the Digital File is stored 
at the first device. 
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Claim Term / Phrase 


InterTrust Construction 


using said first control to 
determine whether said first 
digital file may be copied and 
stored on a second device 


See "Deterrriining whether said digital file may be copied and stored on a second 
device based on at least said copy control" (193.1). The definitions are the same. 


if said first control allows at least 
a portion of said first digital file to 
be copied and stored on a second 
device 


See "If Said first Control allows at Ipact a nriTtinn nf caiH Hirrital file ir\ Ua « rt „; ft J n _ _j 
www a a atuu iuji cuiiuui anuwa 01 icaM a puilIUIl VI baia ulgllal Ilie 10 DC CODied and 

stored on a second device" (193.1 1). The definitions are the same. 


copying at least a portion of said 
first digital file 


Jct ^vpymg ui icdbi a puruon 01 saia Qi giiai rue \iyj.i). ine aeruunons are the 
same. 


transferring at least a portion of 
said first digital file to a second 
device including a memory and an 
audio and/or video output 


fcjc^ i laiiMciiuig di icasi a portion 01 saia qi glial me to a second device (193.1). The 
definitions are the same, except that the second device has an audio or video output or 
both (e.g., a speaker, a screen, etc.). 


storing said first digital file 
portion 


Normal English, incorporating the separately defined terms: the Digital File Portion is 
stored. 


'683:2 


The claim contains no requirement of a VDE. 


the first secure container having 
been received from a second 
apparatus 


Normal English, incorporating the separately defined term: the Secure Container was 
acquired from a second apparatus. The second apparatus is different from the first 
apparatus. 


an a^nect of access tn nr iiqp nf* 


Normal English, incorporating the separately defined terms: Aspect and Access to or 
Use of. Those terms fully define the phrase, so that no other definition is possible. 


the first secure container rule 
having been received from a third 
apparatus different from said 
second apparatus 


Normal English, incorporating the separately defined terms: this term requires that the 
first Secure Container Rule was acquired from a third apparatus. The third apparatus 
is different from the second apparatus or the first apparatus. 


hardware or software used for 
receiving and opening secure 
containers 


Normal English, incorporating the separately defined terms: computer hardware or 
programming that acquires Secure Containers and Opens the Secure Containers (see 
Opening Secure Containers). 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
. required by the Local Rules, InterTrust hereby identifies structures corresponding to 
this term: 

Structures corresponding to this element include Processors) 4126 and/or software 
running on Processors 4126 (including Protected Processing Environment 650) and 
Communications Dpvirp fiAfi 


said secure containers each 
including the capacity to contain a 
governed item, a secure container 
rule being associated with each of 
said secure containers 


Each Secure Container referred to in the phrase "hardware or software used for 
receiving and opening secure containers" must have the capacity to Contain a 
Governed. Item, and must have Associated With it a Secure Container Rule. 


protected processing environment 
at least in part protecting 
information contained in said 
protected processing environment 
from tampering by a user of said 
first apparatus 


Normal English, incorporating the separately defined terms: a Protected Processing 
Environment contains Information. The Protected Processing Environment protects 
the contained Information from Tampering by a user. The protection may be partial 
rather than complete. See Authorization Information for the definition of Information. 
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Claim Term / Phrase 


InterTrust Construction 


hardware or software used for 
applying said first secure 
container rule and a second secure 
container rule in combination to at 
least in part govern at least one 
aspect of access to or use of a 
governed item contained in a 
secure container 


Normal English, incorporating the separately defined terms: computer hardware or 
programming that uses the first Secure Container Rule and a second Secure Container 
Rule. These rules are Applied in Combination to Govern a Governed Item contained 
in a Secure Container. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies structures corresponding to 
this term: 

Structures corresponding to this element include Processors) 4126 and/or software 
running on Processors 4126 (including Protected Processing Environment 650). 


hardware or software used for 
transmission of secure containers 
to other apparatuses or for the 
receipt of secure containers from 
other apparatuses. 


Normal English, incorporating the separately defined terms: computer hardware or 
. programming that sends Secure Containers to other apparatuses (e.g., other computers) 
or acquires Secure Containers from other apparatuses. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designatioa Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies structures corresponding to 
thi^ term* 

Structures corresponding to this element include Processors) 4 1 26 and/or software 
ninning on Processors 4126 (including Protected Processing Environment 650) and 
Communications Device 666. 


'721 -1 


The claim contains no reauirement of a VDE 


digitally signing a first load 
module with a first digital 
signature designating the first load 
module for use by a first device 
class 


Normal English, incorporating the separately defined terms: generating a Digital 
Signature for the first Load Module, the Digital Signature Designating that the first 
Load Module is for use by a first Device Class. 


digitally signing a second load 
module with a second digital 
signature different from the first 
digital signature, the second 
digital signature designating the 
second load module for use by a 
second device class having at least 
one of tamper resistance and 
security level different from the at 
least one of tamper resistance and 
security level of the first device 
class 


Normal English, incorporating the separately defined terms: generating a Digital 
Signature for the second Load Module, the Digital Signature Designating that the 
second Load Module is for use by a second Device Class. This element further 
requires that the second Device Class have a different Tamper Resistance or Security 
Level than the first Device Class. 


distributing the first load module 
for use by at least one device in 
the first device class 


Normal English, incorporating the separately defined terms: distributing the first Load 
Module so that it can be used by a device in the first Device Class. 


distributing the second load 
module for use by at least one 
device in the second device class 


Normal English, incorporating the separately defined terms: distributing the second 
Load Module so that it can be used by a device in the second Device Class. 


'721:34 


The claim contains no requirement of a VDE. 


arrangement within the first 
tamper resistant barrier 


Normal English, incorporating the separately defined terms: an Arrangement 
protected by the first Tamper Resistant Barrier, the Arrangement operating as 
described in the claim. 
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Claim Term / Phrase 


InterTrust Construction 


prevents the first secure execution 
space from executing the same 
executable accessed by a second 
secure execution space having a 
second tamper resistant barrier 
with a second security level 
different from the first security 
level 


Normal English, incorporating the separately defined terms: stops the first Secure 
Execution Space from executing (e.g. . running a program) an Executable accessed by a 
second Secure Execution space. The first and second Secure Execution Spaces have 
Tamper Resistant Barriers that have different Security Levels. 


'861:58 


The claim contains no requirement of a VDE. 


creating a first secure container 


This term is contained in the preamble of the claim and should not be defined, other 
than as requiring the individual claim elements. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: 

Normal English, incorporating the separately defined terms: producing a Secure 
Container. 


including or addressing ... 
organization information . . . 
desired organization of a content 
section. . . and metadata 
information at least in part 
specifying at least one step 
required or desired in creation of 
said first secure container 


This is not a claim term, but is instead a series of fragments. Interpretation of this 
phrase is therefore impossible, since the phrase does not appear in the claim. 

Without waiving its position that these claim fragments should not be interpreted, 
InterTrust would be willing to agree to the following: 

1. The same single Descriptive Data Structure must either Contain within its confines 
or Address both Organization Information and Metadata information. 


at least in part determine specific 
information required to be 
included in said first secure 
container contents 


Normal English, incorporating the separately defined terms: at least partially Identify 
specific Information that must be included in the first Secure Container. See 
Authorization Information for the definition of Information. 


rule designed to control at least 
one aspect of access to or use of at 
least a portion of said first secure 
container contents 


Normal English, incorporating the separately defined terms: a Rule that Governs at 
least some of the contents of the Secure Container. 


'891:1 


The claim contains no requirement of a VDE. 


resource processed in a secure 
operating environment at a first 
appliance 


This term is contained in the preamble of the claim and should not be defined, other 
than as requiring the individual claim elements. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: 

Normal English, incorporating the separately defined terms: a Resource Processed in a 
Secure Operating Environment, the Secure Operating Environment being present at an 
appliance (e.g., a computer). 


securely receiving a first entity* s 
control at said first appliance 


Normal English, incorporating the separately defined terms: an Entity's Control is 
Securely Received at the first appliance. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 

Claim elements specifying the act of receiving a file, or the act of establishing 
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communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions, physical exchange of media, network transmissions, etc. 

Claim elements specifying the act of "securely receiving" map onto embodiments of 
"receiving" (see above) in which the received element (e.g., a control) is received in a 
manner providing security. The specification describes a number of security-related 
mechanisms for use in communications, including encryption, authentication and 
tamper-resistance. Such mechanisms constitute alternate embodiments. 


securely receiving a second 
entity's control at said first 
appliance 


See Securely receiving a first entity's control at said first appliance. The definitions 
are the same, except that the second entity and the first entity are different. 


securely processing a data item at 
said first appliance, using at least 
one resource 


Normal English, incorporating the separately defined terms: a Resource is used in 
Securely Processing a Data Item, the processing occurring at the first appliance. 


securely applying, at said first 
appliance through use of said at 
least one resource said first 
entity's control and said second 
entity's control to govern use of 
said data item 


Normal English, incorporating the separately defined terms: the first Entity's Control 
and the second Entity's Control are Securely Applied to Govern Use of the Data Item, 
the act of Securely Applying involving use of the Resource. 


'900:155 


See definition of Virtual Distribution Environment, above. 


first host processing environment 
comprising 


A Host Processing Environment including (but not limited to), the listed elements. 


designed to be loaded into said 
main memory and executed by 
said central processing unit 


Normal English, incorporating the separately defined term: software designed to be 
loaded into the Memory of a computer and executed by the computer's processor. 


said tamper resistant software 
comprising: . . . one or more 
storage locations storing said 
information 


This is not a claim term, but is instead two sentence fragments. Interpretation of this 
phrase is therefore impossible, since the phrase does not appear in the claim. 


derives information from one or 
more aspects of said host 
processing environment, 


Normal English, incorporating the separately defined terms: Derives (including 
creates) Information based on at least one Aspect of the previously referred to Host 
Processing Environment. See Authorization Information for the definition of 
Information. 


one or more storage locations 
storing said information 


Normal English, incorporating the separately defined terms: Information relating to 
one or more Aspects of the Host Processing Environment is stored in one or more 
locations. See Authorization Information for the definition of Information. 


information previously stored in 
said one or more storage locations 


See Information Previously Stored. The definitions are the same. 


generates an indication based on 
the result of said comparison 


Producing an indication based on the result of the "compares" step. The "indication" 
need not be displayed to a user. 


programming which takes one or 
more actions based on the state of 
said indication 


Normal English: software that takes an action if the indication has one state, but does 
not take that action if the indication does not have that state. 


at least temporarily halting further 
processing 


Normal English, incorporating the separately defined terms: Halting Processing, the 
Halt being temporary or permanent. See Securely Processing for the definition of 
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Processing. 


'912:8 


The claim contains no requirement of a VDE. 


identifying at least one aspect of 
an execution space required for 
use and/or execution of the load 
module 


Identifying at least one aspect of an execution space: 

Normal English, incorporating the separately defined terms: Identifying an Aspect 
(e.g. Security Level) of an Execution Space 

Required for use and/or execution of the load module: 

Normal English, incorporating the separately defined terms: the Identified Aspect is 
needed in order for the Load Module to execute or otherwise be used. 


said execution space identifier 
provides the capability for 
distinguishing between execution 
spaces providing a higher level of 
security and execution spaces 
providing a lower level of security 


Normal English, incorporating the separately defined terms: the Execution Space 
Identifier makes it possible to distinguish higher Security Level Execution Spaces 
from lower Security level Execution Spaces. 


checking said record for validity 
prior to performing said executing 
step 


Normal English, incorporating the separately defined terms: determining whether the 
Record has Validity, the determination occurring before the execution step. 


'912:35 


The claim contains no requirement of a VDE. 


received in a secure container 


Normal English, incorporating the separately defined terms: the Record is Contained 
in a Secure Container when acquired. 


said component assembly 
allowing access to or use of 
specified information 


Normal English, incorporating the separately defined terms: the Component Assembly 
allows Access to specified Information. See Authorization Information for the 
definition of Information. 


said first component assembly 
specified by said first record 


This term is a label referring back to the first component assembly identified earlier in 
the claim. It has no other meaning. 
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EXHIBIT C 



PLR 4-3(b) - Identification of Supporting Evidence 

The following represents InterTrust's list of all evidence relevant to construction of the disputed terms and phrases. 
InterTrust expects to identify those passages of greatest significance in connection with InterTrust's claim construction 
briefing. In addition to the evidence listed in the table below, InterTrust intends to rely on the testimony of Dr. Reiter, as 
described in more detail in Exh. F. 

Notes: 

1 . InterTrust reserves the right to supplement this list as needed to respond to changed constructions proffered by 
Microsoft immediately before or after the submission of the Joint Claim Construction Statement, or to respond to evidence 
or arguments proffered by Microsoft. 

2. In the following list, certain terms and phrases include other, separately defined terms. In such cases, the evidence 
supporting the separately defined term is also relevant to construction of the larger term. 

3. The InterTrust patents include overlapping specifications, in which the same text may be found in two or more 
specifications. In such cases, InterTrust has cited only one of the specifications. InterTrust reserves the right to substitute 
citations for the same text in other specifications. 

4. Citations of specification text also include a citation of any Figures discussed in that text. 

5. Each claim term is followed by a list of all patent claims in which the term appears (e.g., "193. 1 5" means claim 
15 from the '193 patent). 

Key to abbreviations: 

USP = United States Patent 
'193 patent = USP 6,253,193 
4 683 patent = USP 6,185,683 
'721 patent = USP 6,157,721 
'891 patent = USP 5,982,891 
'861 patent = USP 5,920,861 
'912 patent = USP 5,917,912 
'900 patent = USP 5,892,900 



Claim Term / Phrase 


InterTrust Evidence 


access, accessed, access to, 


Patent Specifications 


accessing 


'193 patent at 51:32-33, 61 




4 193 patent at 59:53-55 


193.15, 193.19,912.8,91235, 


'193 patent at 62:54-57 


861.58, 683.2,72134 


'193 patent at 64:6-7 


'193 patent at 65:14-19 




'193 patent at 71:49-51 




'193 patent at 72:1-3 




'193 patent at 120:59-66 




'193 patent at 128:42-45 




'193 patent at 136:58-60 




l 193 patent at 137:63-66 




4 193 patent at 139:41-55 




'193 patent at 159:24-26 




'193 patent at 159:64-160:8 




'193 patent at 163:36-63 




'193 patent at 170:17-19 
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Claim Term / Phrase 



InterTrust Evidence 



'193 patent at 173:9-16 
'193 patent at 178:57-63 

* 193 patent at 183:24-26 
4 193 patent at 183:55-57 
4 193 patent at 188:65-66 

* 193 patent at 192:2-57 

* 193 patent at 217:27-42 
'193 patent at 274:58-61 
'193 patent at 298:67-299:5 

'683 patent at 10:66-11:3 
'683 patent at 12:52-53 
'683 patent at 13:15 
'683 patent at 15:67-16:4 
'683 patent at 19:6-14 
'683 patent at 42:34-37 
'683 patent at 56:21-25 
'683 patent at 57:63-65 

'861 patent at 12:35-39 
'861 patent at 13:6-17 
'861 patent at 15:35-48 
'861 patent at 17:22-25 

'721 patent at 2:47-53 
'721 patent at 2:62-63 
'721 patent at 4:5-15 

Extrinsic Sources 

Personal Computer Dictionary (1995), p. 11. 

Wyatt, Computer Professional's Dictionary (Osborne McGraw-Hill, 1990), p. 7. 

Webster's New World Dictionary of Computer Terms, 6 th ed. (1997), p. 12. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 

The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1993), 

p. 6. 

Cooper, Computer & Communications Security: Strategies for the 1990s, p. 365. 

National Information System Security (INFOSEC) Glossary, NSTISSI No. 4009 
(2000), p. 1. 

Glossary of Telecommunications Terms (National Communications Systems, 1996), p. 



Webster's New World Dictionary of Computer Terms, 4 th ed. (1992), p. 2. 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), p. 494. 



A-3. 



addressing 



Patent Specifications 
'861 patent at 5:57-6:7 
'861 patent at 10:53-59 
'861 patent at 14:14-29 
'861 patent at 15:21-31 



861.58 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 86:51-56 
'193 patent at 92:18-23 
'193 patent at 109:2-5 
*193 patent at 214:15-18 
4 193 patent at 289:14-22 

Extrinsic Sources 

Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 17. 
Citations from Sources Designated bv Microsoft under PT/R d-7(h\ 


The New IEEE Standard Dictionary of Electrical and Electronic Terms (1993), pp. 16- 
17. ' 

Glossary of Telecommunications Terms (National Communications Systems, 1996), p. 
A-7. 


allowing, allows 

912.35, 193.1, 193.11, 193.15, 
193.19 


Patent Specifications 
'193 patent at 11:19-23 
'193 patent at 15:14-17 
'193 patent at 16:49-51 

'1 93 natpnt at ^4*1 "X 1Q 

i^J jJaiClll at Jt.I J-17 

'193 patent at 75:1-5 
Extrinsic Sources 

The American Heritage Diefionarv 3d fHnncrhtrvn Mifflin 1009^ « ^fl 
Citations from Sources Designated bv Microsoft under PT P d-7(h\ 


Webster's College Dictionary of Random House (1991), p. 38. 
Funk & Wagnalls Standard College Dictionary (1973-74), p. 39. 


arrangement 


Patent Snecifi cations 




'721 patent at 3:10-15 


/21.34 


'721 patent at 4:56-60 




*721 patent at 16:52-64 




'721 patent at 19:24-32 


- 


'193 patent at 1:27-36 


- 


'193 patent at 8:21-27 




'193 patent at 10:49-53 




4 193 patent at 11:38-45 




'193 patent at 11:49-53 




'193 patent at 12:51-61 




'193 patent at 13:1-4 




'193 patent at 14:60-66 




'193 patent at 19:5-9 




4 193 patent at 20:51-67 




' 193 patent at 4 1:3 1-33 




'193 patent at 45:52-59 




'193 patent at 48:33-36 




'193 patent at 48:66-49:3 




'193 patent at 225:39-46 




'193 patent at 226:43-53 




'193 patent at 227:25-28 




'193 patent at 230:45-50 




'193 patent at 236:25-29 
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Claim Term / Phrase 


InterTrust Evidence 




4 193 patent at 301:58-59 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 102. 




File Histories 




'721 File History, original claims 15-18 and 36-39 


aspect 


Patent Specifications 




'900 Da tent at 74*49-55 


900.155, 912.8, 861.58, 683.2 


4 900 Datent at 74*12-17 


'900 Datent at 74*29-33 




'900 Datent at 77*15-19 




'900 Datent at 236*3-7 




'193 patent at 83:30-32 




'193 patent at 95:27-30 




* 1 93 Datent at 1 03 • 1 4-20 

1 -7 ^/O twill Ul 1VJ>17 AtV 




'193 patent at 121:35-37 




'193 patent at 125:39-41 








'193 Datent at 340*40-43 




'861 patent at 6:24-29 




'861 patent at 17:3-6 




File Histories 




'900 File History, original claims 5-6. 




App. No. 09/342,899, 6/12/00 Office Action, p. 5 (citing USP 5,748,960 at 21:7-15). 




T*atpnt £npr ifi rati fine 




* 1 93 Datent at 5 * 1 9-2 1 


912.8, 193.1, 193.11, 193.15, 


'193 Datent at 12*40-43 


683.2 


' 1 93 Datent at 1 3 * 54-63 


'193 Datent at 15*51-55 




'193 oatent at 17*52-56 




4 1 93 Datent at 1 8*36-42 




* 1 93 patent at 20:8-26 




'193 patent at 22:20-25 




* 1 93 Datent at 32*49-5 1 




* 193 Datent at 33*26-30 




'193 patent at 55:5-1 1 




'193 patent at 55:39-51 




'193 patent at 57:17-40 




'193 patent at 59:6-18 




'193 patent at 65:66-66:5 




'193 patent at 103:54-104:28 




'193 patent at 149:46-54 




'193 patent at 153:32-154:49 




'193 patent at 188:8-11 




'193 patent at 194:47-51 




'193 patent at 195:10-24 




'193 patent at 210:56-211:9 




'193 patent at 241:17-26 




'193 patent at 245:9-13 
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Claim lerm / rnrase 


inter l rust Evidence 




' 193 patent at 268:66-269:1 1 




193 patent at 269:23-34 




'193 patent at 292:63-67 




'193 patent at 297:61-298:2 




'193 patent at 299:46-49 




'193 patent at 300:44-51 




'193 patent at 308:48-56 




'683 patent at 8:34-37 




'683 patent at 9:56-58 




'683 patent at 10:M 




'683 patent at 24:5-13 




'683 patent at 26:12-16 




'683 patent at 27:24-28 




'683 patent at 30:44-56 




'683 patent at 37:14-19 




'683 patent at 40:10-15 




'683 patent at 41:58-61 


authentication 


Patent Specifications 




'193 patent at 13:33-37 


193. ID 


'193 patent at 64:29-37 


'193 patent at 67:58-60 




'193 patent at 115:17-21 




'193 patent at 123:21-62 




' 1 93 patent at 1 60:24-26 




'193 patent at 203:58-61 




'193 patent at 204:2-11 




'193 patent at 204:27-34 




'193 patent at 213:1-15 




'193 patent at 218:38-220:19 




'193 patent at 230:22-27 




'193 patent at 232:47-53 




'193 patent at 236:21-25 




' 1 93 patent at 290:47-62 




'193 patent at 319:27-29 




'683 patent at 7:42-45 




'683 patent at 8:15-27 




'683 patent at 10:1-4" 




'683 patent at 18:65-19:26 




'683 patent at 21:36-52 




'683 patent at 30:65-31:63 




'683 patent at 34:54-57 




683 patent at 41:18-21 




'683 patent at 48:32-36 




'683 patent at 49:1-17 




File Histories 




'683 File History, 1 1/12/99 Office Action, p. 7 (citing USP 5,412,717 at 6:19-48). 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Tanenbaum, Modern Operating Systems (Prentice Hall, 1992), p. 189. 


authorization information. 


Patent Specifications 


authorized, not authorized 


'193 patent at 3:3-9 




'193 patent at 167:8-11 
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Claim Term / Phrase 


InterTrust Evidence 


193.15, 193.19 


'193 patent at 167:55-59 
'193 patent at 21 1:39-212:7 
'193 patent at 214:42-48 
'193 patent at 215:59-216:5 
'193 patent at 220:47-52 
'193 patent at 223:57-60 
'193 patent at 254:40-44 

File Histories 

USP 5,910,987 File History, 9/23/98 Office Action, p. 4* 
Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 120. 
Citations from Sources Designated bv Microsoft under PLR 4-2tt>) 


Cooper, Computer & Communications Security: Strategies for the 1990s, p. 367. 
Laplante, Dictionary of Computer Science, Engineering and Technology (2001), p. 29. 
Microsoft Computer Dictionary, 2 nd ed. (Microsoft Press, 1994), p. 32. 
Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 36. 


budget control; budget 
193.1 


Patent Specifications 
'193 patent at 22:47-52 
'193 patent at 50:18 
'193 patent at 51:44-45 
'193 patent at 57:51-54 
'193 patent at 58:26-34 
'193 patent at 58:38-59:37 
'193 patent at 130:58-131:52 
'193 patent at 132:7-26 
'193 patent at 132:55-65 
'193 patent at 133:12-13 
'193 patent at 133:45-59 
'193 patent at 142:41-61 
'193 patent at 143:10-28 
'193 patent at 143:38-144:31 
'193 patent at 150:63-66 
'193 patent at 152:44-47 
'193 patent at 172:14-48 
'193 patent at 172:61-174:33 
'193 patent at 173:21-177:53 
'193 patent at 182:7-14 
'193 patent at 182:22-30 
'193 patent at 184:67-185:1 
'193 patent at 220:20-40 

File Histories 

App. No. 09/328,668, 9/1/00 Office Action, p. 4. 

USP 5,910,987 File History, 9/23/98 Office Action, p. 5. 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 249 


can be 


Extrinsic Sources 
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Claim Term / Phrase 


InterTrust Evidence 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), pp. 159, 277. 


1 07 1 




capacity 


Patent Specifications 


683.2 


'193 patent at 127:35-62 


Extrinsic Sources 




ine American nentage jjicnonary, ju ea. ^riougnton Minnn, iyyzj, p. zoo. 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Webster's College Dictionary of Random House (1991), p. 201. 




Kanaom nouse uicnonary oi me cngnsn i^anguage. v^onege jDuiuon ^ivooj, p. ziHJ. 




encyclopedia oi v^ornpuier ociculc anu engineering, z cq. ^van iNusuanQ j\.einnoiu, 




1QQ?\ 1AO ICIO 

IVoJ;, pp. ZUo, ijiy 


clearinghouse 


Patent Specifications 




4 193 patent at 3:32-33 


1 Q1 1 O 


'193 patent at 13:17-23 


'193 patent at 25:22-24 




4 193 patent at 36:15-48 




'193 patent at 41:8-9 




'193 patent at 47:37-42 




'193 patent at 50:8-9 




'193 patent at 55:57-66 




'193 patent at 56:16-24 




'193 patent at 132:35-37 




'193 patent at 161:66-162:65 




'193 patent at 253:65-254:1 




'193 patent at 255:33-51 




'193 patent at 267:40-42 




193 patent at 268:29-31 




'193 patent at 269:59-65 




'193 patent at 270:42-58 




'193 patent at 271:44-49 




1 93 patent at 280: 1 8-26 




'193 patent at 284:50-59 




File Histories 




USP 6,427,140 File History, 3/30/01 Office Action, p. 3. 




Ufcr 0,1 lz,lol rue History, 12/31/98 Urtice Action, p. 30. 




uiaiions irom sources Designated dv Microsoft unaer rJLK q-lio) 




i-ut ^wiupcuia ui v^unipuici oLiciiL'C aiiu .engineering, £ cq. ^ v an iNOauaiiQ i\.euiu01Q, 




1983), p. 600. 


compares, comparison 


Patent Specifications 




'QOfi nut pnt a* IQ^.Q 10 

y w paieni at ibo.y-lz 


900.155 


'900 patent at 280:63-65 


'900 patent at 322:15-20 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 384. 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 
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Claim Term / Phrase 


InterTrust Evidence 




The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1993), 
p. 221. 

Illustrated Dictionary of Computing, 2 nd ed. (Prentice Hall, 1992), p. 1 10. 

The American Heritage Dictionary of the English Language (1969), p. 271 . 

Webster's College Dictionary of Random House (1991), p. 276. 

Funk & Wagnalls Standard College Dictionary ( 1 973-74), p. 275. 

Random House Dictionary of the English Language: College Edition (1968), p. 273. 

Webster's Ninth New Collegiate Dictionary (Merriam- Webster, 1 987), pp. 276-277. 

IBM Dictionary of Computing (McGraw Hill, 1994), pp. 124-125. 


component assembly 
912.8,912.35 


Patent Specifications 
4 193 patent at 25:54-26:9 
'193 patent at 50:35-36 
'193 patent at 83:12-88:21 
'193 patent at 112:46-113:62 
'193 patent at 115:43-116:51 
'193 patent at 133:43-45 
'193 patent at 138:31-37 
'193 patent at 159:61-160:8 
'193 patent at 169:62-170:4 
'193 patent at 171:39-42 
'193 patent at 247:58-64 
'193 patent at 250:21-34 
'193 patent at 260:36-47 

File Histories 

'912 File History, 9/22/98 Office Action, pp. 2-3 (citing USP 5,748,960); see also USP 
5,748,960 at 1 :33-67 and 1 6:32-4 1 . 

'912 File History, 6/24/98 Amendment, pp. 73-75. 

4 912 File History, 12/24/97 Office Action, pp. 2-3 (citing USP 5,629,980; USP 
5,499,298; and USP 5,457,746); see also USP 5,629,980 at 9:6-1 1:29; USP 5,499,298 
at 6:46-8:23; and USP 5,457,746 at 10:8-67. 

App. No. 09/342,899 File History, 12/12/00 Amendment, p. 7. 
App. No. 09/342,899 File History, 12/13/01 Response, p. 3. 


contain, contained, containing 
683.2,912.8,912.35 


Patent Specifications 
4 193 patent at 19:15-21 
4 193 patent at 58:48-58 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 406. 
Citations from Sources Designated bv Microsoft under PLR 4-2(h) 


Webster's College Dictionary of Random House (1991), p. 293. 
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Claim Term / Phrase 


inter 1 rust Evidence 




Random House Dictionary of the English Language: College Edition (1968), p. 289. 




Que's Computer Programmer's Dictionary (1993), p. 93. 


control (ti.} 


Patent Specifications 




'193 patent at 5:19-24 


193.1, 193.11, 193.15, 193.19, 


'193 patent at 6:33-45 


891.1 


'193 patent at 7:13-19 


'193 patent at 10:66-11:18 




'193 patent at 12:12-14 




* 1 93 patent at 1 3 : 54-60 




'193 patent at 15:3-7 




'193 oatent at 15*18-21 




'193 Datent at 15*33-38 




' 1 93 Datent at 1 5*46-50 




* 1 93 Datent at 1 7* 1 5-2 1 




'193 natent at 17*46-67 




* 193 natent at 1 8*29-42 

1 Lyd Infill Bl 1 \J • mmt <S H Am 




'193 Datent at 19* 1 3-32 




1 1 93 Datent at 22*47-58 




'1 93 natent at 25 -48-52 




4 193 Datent at 25*52-26*12 




* 1 93 natent at 28* 1 9-44 




' 1 93 Datent at 29*2 1 -28 




' 1 93 natent at 30*62-65 




* 1 93 natent at 32*30-34 




'193 Datent at 3311-19 




'193 oatent at 33*63-34*3 




'193 natent at 34*30-37 




' 1 93 natent at 42*2 1 -38 




'193 natent at 42*39-43* 1 




'193 natent at 43*25-44*2 

k J mj LJ<llVl~li HI ~ mj * Am mj 1 1 » ^ 




* 193 natent at 44*34-52 




'193 Datent at 45* 11-15 




'193 Datent at45*33-36 




'193 patent at 48:29-35 




' 1 93 patent at 49: 1 1 - 1 2 




*193 patent at 49:50-55 




'193 patent at 53:53-59 




'193 patent at 56:26-32 




'193 patent at 57:27-36 




'193 patent at 57:51-55 




'193 patent at 58:27-34 




'193 patent at 59:1-25 




'193 patent at 71:20-25 




'193 patent at 77:32-34 




'193 patent at 77:45-63 




'193 patent at 77:64-78:3 




'193 patent at 78:6-9 




'193 patent at 110:54-55 




'193 patent at 121:15-32 




'193 patent at 127:6-26 




'193 patent at 128:25-33 




'193 patent at 129:52-60 




'193 patent at 129:64-67 




'193 patent at 130:26-29 




'193 patent . at 130:41 
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Claim Term / Phrase 


InterTrust Evidence 




* 193 patent at 131:33-50 




* 1 93 patent at 1 3 1 :59- 1 32: 1 8 




'193 patent at 135:49-58 




'193 patent at 137:4-7 




'193 patent at 148:59-149:7 




'193 patent at 149:13-153:31 




'193 patent at 169:5-13 




'193 patent at 174:15-177:53 




'193 patent at 182:43-44 




* 1 93 patent at 2 1 7 :40-42 




'193 Datent at 242*7-53 




'193 Datent at 243*28-37 




' 1 93 patent at 245 : 9- 1 4 




* 1 93 natent at 247*30-5 1 




4 193 natent at 247*61 -248-8 




4 193 natent at 258*53-55 

X J J LJAl&lll 0L ^«/VJ.«/*7 




* 1 93 natent at 264*1 6-1 9 

l/J LJALVUL Al iUTiIlT17 




1 1 93 natent at 264*40-49 




4 1 93 natent at 268*62-64 

1 7J UAlClll AL AUO^UX in 




'193 natpnt at 971 *S8-61 




4 1 93 natent at 276* 10-17 




4 1 93 natent at 280*49-58 

i 7 J Ufllbul Al iOU.t7 JO 




4 193 natent at 284*22-26 




'193 patent at 293:24-29 




'193 patent at 293:64-294:1 




M93 natpnt at 7Q7-61 -9QR*'? 




4 1 93 natent at 298*54-62 

1 7 J IJAlfvlll Al i70. J*T 




4 193 natent at 301 '66-302*2 

1 J JJAllflll Al J\J i ,\J\J JUL . X. 




4 193 natent at 314*58-64 




"1Q3 nfltpnt at 




File Histories 




4 193 File History, 12/20/96 Office Action, pp. 2-3. 




'193 File History, 6/20/97 Response, pp. 23-25. 




'193 File History, 6/7/00 Office Action, pp. 2-4 (citing USP 4,595,950); see also USP 




4,595,950 at 4:4-18; 4:28-33; 4:38-54; 4:64-5:20; 5:35-58; 6:38-65; 7:5-41; 8:48-57; 




9* 1-39* 9*54-66' and 12*29-13*33 




4 900 File Historv 8/27/98 Office Action nn 3-4 fcitine USP 5 048 085 at 2*41-46^ 




'891 File History, 12/20/96 Office Action, pp. 2-3 




USP 5,915,019 File History, 7/28/97 Office Action, pp. 2-3 (citing USPs 5,638,443; 




5,563,946; USP 5,509,070; and 5,504,818); see also USP 5,638,443 at 10:61-11:67; 




USP 5,563,946 at 8:27-58 and 9:25-39; USP 5,509,070 at 7:10-8:9; and USP 




5,504,818 at 6:33-67. 




USP 5,915,019 File History, 4/15/98 Office Action, pp. 3-4 (citing USP 5,31 1,591); 




see also 5,3 11,591 at 2:14-46; 11:4-10; and 12:7-20. 




USP 6,389,402 File History, 3/15/00 Office Action, p. 2. 




09/328,668 File History, 9/1/00 Office Action, p. 4. 




USP 5,910,987 File History, 9/23/98 Office Action, p.4 (citing USP 5,412,717 at 9:33- 




57); see also USP 5,412,717 at 2:24-26; 5:3-7; and Figs. 2 and 3(c). 
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Claim Term / Phrase 


InterTrust Evidence 




USP 6,363,488 File History, 12/19/00 Office Action, p. 2-4 (citing USP 4,658,093); 




see also USP 4,658,093 at 4:48-63, and Abstract). 




USP 6,237,786 File History, 7/17/00 Office Action, pp. 2-3 (citing USP 4,827,508); 




see also USP 4,827,508 at 8:61-9:2; 9:32-36; 19:8-26; and 21:39-55). 




USP 6,1 12,181 File History, 12/31/98 Office Action, p. 14 (citing USP 5,740,549 at 




16:45-54). 




USP 5,949,876 File History, 7/18/97 Office Action, pp. 2-3 (citing USP 5,504,837 at 




7:48-8:44; USP 5,508,913 at 3:56-4:1 1; and USP 5,260,999 at 42:63-43:20 and 45:18- 




30). 


controlling, control (v.) 


Patent Specifications 




'193 patent at 15:46-50 


861.58, 193.1 


' 1 93 patent at 33:26-30 


'193 patent at 62:58-60 




'193 patent at 63:39-44 




* 1 93 patent at 64:55-58 




'193 patent at 65:35-38 




'193 patent at 68:46-49 




'193 patent at 68:51-53 




'193 patent at 76:37-41 




'193 patent at 77:48-57 




'193 patent at 128:41-46 




'193 patent at 139:60-140:1 




'193 patent at 159:23-26 




'193 patent at 172:51-55 




'193 patent at 174:15-29 




'193 patent at 241:17-26 




'193 patent at 268:29-31 




'193 patent at 273:42-46 




'193 patent at 288:1 1-12 




'193 patent at 296:13-14 




'683 patent at 24:33-39 




'683 patent at 27:22-24 




File Histories 




'683 File History, 1 1/12/99 Office Action, p. 13. 




USP 6,389,402 File History, 12/6/00 Office Action, p. 3. 




USP 6,363,488 File History, 12/19/00 Office Action, p. 2. 




USP 6,427,170 File History, 3/3/01 Office Action, p. 4. 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), pp. 410, 784. 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Laplante, Dictionary of Computer Science, Engineering and Technology (2001), p. 




104. 




Webster's College Dictionary of Random House (1991), p. 297. 




Funk & W agnails Standard College Dictionary (1973-74), p. 295. 
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Claim Term / Phrase 


InterTrust Evidence 




Random House Dictionary of the English Language: College Edition (1968), p. 293. 




Webster's Ninth New Collegiate Dictionary (Merriam-Webster, 1987), p. 285. 


copied file 


Patent Specifications 




4 193 patent at 325:32-40 


1 Q1 1 1 






See Digital File; Copy; Copy Control 


copy, copied, copying 


Patent Specifications 




* 193 patent at 20:36-43 


lyj.i, iyj.il, lyi.i:), lyj.iy 


'193 patent at 23:10-15 


'193 patent at 25:18-24 




1 1 93 patent at 26:59-67 




'193 patent at 28:19-23 




'193 patent at 37:27-36 




'193 patent at 37:59-64 




'193 patent at 48:29-35 




4 1 93 patent at 53 :60-62 




'193 patent at 57:67-58:3 




'193 patent at 80:40-48 




'193 patent at 109:15-22 




'193 patentat 131:10-17 




'193 patent at 131:65-132:1 




'193 patentat 143:14-18 




'193 patent at 159:24-26 




'193 patent at 167:63-67 




'193 patentat 194:14-19 




'193 patentat 226:11-16 




'193 natent at 264*29-49 




'193 patent at 279:3-9 




'193 patent at 288:46-52 




'193 patent at 319:12-15 




'193 patent at 323:50-324:7 




Extrinsic Sources 




Personal Computer Dictionary ( 1 995), p. 47. 




The American Heritape Dictionarv et\ ^Hrmohtrvn Mifflin 100?^ n A.Mk 




Webster's New World Dictionary of Computer Terms, 6 th Edition (1997), p. 118. 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 120. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Dictionary of Scientific and Technical Terms, 5 th ed. (McGraw-Hill, 1994), p. 461 . 




See Copied File 


copy control 


Patent Specifications 




'193 patent at 38:4-9 


193.1 


'193 patent at 48:12-35 




'193 patent at 65:24-38 




'193 patent at 68:51-61 



12 




Claim Term / Phrase 


InterTrust Evidence 




*193 patent at 72:1-9 




*193 patent at 133:39-50 




'193 patent at 162:10-15 




*193 patent at 167:41-43 




•193 patent at 220:28-40 




493 patent at 226:1 1-16 




4 193 patent at 237:34^7 




4 193 patent at 252:5 1-58 




'193 patent at 264:28-57 




'193 patent at 278:9-25 




*193 patent at 316:16-317:19 




' 193 patent at 322:46-323:7 




4 193 patent at 325:32-40 


data item 


Patent Specifications 




4 1 93 natent *at 9*27-^ 1 


891.1 


*193 patent at 58:48-57 


'193 patent at 67:56-57 




'193 patent at 126:8-52 




4 193 patent at 312:63-66 




Extrinsic Sources 




Wyatt, Computer Professional's Dictionary (Osborne McGraw-Hill, 1990), p. 101. 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 131. 




{""itatinrK frnm Smirrpc ftpciortsitpri hv IvTirrncnft imdpr 4-2 f hi 




Microsoft Pnmrmter Dirfinnarv 2 nd ed (Microsoft Press 1QQ41 nn 107-108 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 130. 




McNulty, Security on the Internet, Statement Before the Subcommittee on Science, 




Committee on Science, Space, and Technology, U S House of Representatives (Mar. 




22, 1994), p. 9 ("Data Integrity - Verification that the contents of a data item (e.g., 




message, file, program) have not been accidentally or intentionally changed in an 




unauthorized manner"). 


derive derives 


Patent Specifications 




'900 patent at 73:38-42 


900.155 


'900 patent at 74:36-42 




4 900 natent at 75*30-36 




'900 patent at 75:41-49 




*900 patent at 245:25-39 




'900 natent at 547-4-1 2 




'900 patent at 247:20-26 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 504. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Webster's College Dictionary of Random House (1991), p. 365. 




Funk & Wagnalls Standard College Dictionary (1973-74), p. 360. 




Random House Dictionary of the English Language: College Edition (1968), p. 358. 
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Claim Term / Phrase 


InterTrust Evidence 




See "Derive*; information from one or more asnects of said ho^t nrnrpQc-mo 




environment" (900.155). 


descriptive data structure 


Patent Specifications 




'861 patent at 5:26-37 


861.58 


'861 patent at 5:57-6:7 




'861 patent at 6:8-10 




4 861 patent at 6:19-23 




4 861 patent at 6:24-31 




'861 patent at 6:38-47 




'861 patent at 7:42-9:63 




'861 patent at 10:49-61 




'861 patent at 11:15-24 




'861 patent at 1 1:25-47 




'861 patent at 11:58-12:5 




'861 patent at 13:41-14:12 




*Rfi1 n at *»nt at 14*1^ 1Q 

ooi paternal in.ij-zy 




'861 patent at 15:21-34 




'861 patent at 16:11-31 




'861 patent at 17:13-31 




501 patent at i 




'861 patent at 17:61-18:5 




rue fiisTones 




'861 File History Office Action n ^ fcitinp TI^P 5 ^7 S?fiV qpp alcn TT^P 




^ S37 S7fi at 7-Q-67- 101 7-^0 and 16-10-90 




USP 6 138 119 File Hktorv 4/26/00 Office Action n 9 


designating 


Patent Specifications 




'721 patent at 7:66-8:2 


721.1 


*1 0^ natpnt at 1.90 


'193 patent at 150:30-33 




'193 patent at 154:64-155:6 




'193 patent at 246:64-66 




'193 patent at 277:56-278:16 




'193 patent at 280:1-4 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 506. 


device class 


File Histories 




'721 File Hi<;torv 4/ 1V9Q Amendment n 14 

1 £. X i lit Hloi\Jlj t "T/ 1 J/77 rtlllCllLllIlClllj |J. l*t. 


721.1 


Citations from Sources Designated bv Microsoft under PLR 4-2(b) 






The American Heritage Dictinnarv of the FnolisVi 1 anonnop MO^O^ n 




Webster's College Dictionary of RandomHouse (1991), pp. 250-251, 370. 




Funk & Wagnalls Standard College Dictionary, (1973-74), p. 251. 


digital file 


Patent Specifications 




4 193 patent at 45:66-46:3 
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Claim Term / Phrase 


InterTrust Evidence 


193.1,193.11,193.15, 193.19 


4 193 patent at 123:66-67 
4 193 patent at 165:25-30 
'193 patent at 167:33-35 
'193 patent at 258:30-43 

Extrinsic Sources 

Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 194. 
Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


EncvcloDedia of Conrouter Science and En pin eerino 2 n< * erf fVan Knctranrf PpinhnlH 
1983),p.494. 

Hurt et al., Computer Security Handbook, 2d ed (Macmillan, 1988), p. 218. 


digital signature, digitally signing 
721.1 


Patent Specifications 
'721 patent at 4:32-35 
'721 patent at 4:64-5:5 
'721 patent at 6:5-15 
'721 patent at 6:42-52 
'721 patent at 7:1 1-18 
'721 patent at 7:47-57 
'721 patent at 10:56-59 
'721 patent at 10:60-64 
'721 patent at 12:67-13:3 
'721 patent at 14:61-15:16 
'721 patent at 15:31-34 

Extrinsic Sources 

Dictionary of Information Technology, 3d ed. (Van Nostrand Reinhold, 1989) 
Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


Russell et al., Computer Security Basics (O'Reilly & Associates, 1991), p. 410. 
Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 145. 
Garfinkel et al., Practical Unix Security (O'Reilly & Associates, 1991), p. 122. 
Neumann, Computer Related Risks (ACM Press, 1995), p. 345. 


entity's control 
891.1 


Patent Specifications 
'193 patent at 127:41-45 
'193 patent at 128:61-65 
'193 patent at 203:42-45 
'193 patent at 267:34-42 
'193 patent at 277:42-46 
'193 patent at 281:36-39 

See Control 


environment 

912.35,900.155,891.1,683.2, 
721.34 


Patent Specifications 
'193 patent at 13:27-29 
'193 patent at 17:1-6 
'193 patent at 18:34-36 
'193 patent at 25:39-43 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 36:26-29 




'193 patent at 49:3-6 




'193 patent at 49:15-17 




'193 patent at 52:66-53:5 




'193 patent at 69:33-35 




'193 patent at 72:34-39 




i7j patent ai o.hu-hz 




'193 patent at 83:43-48 




* 1 0"5 notant nf 1 Aft. 1 A 1 £ 

i y j paieni ai i w. i u- 1 o 




'193 patent at 106:56-62 




ivj patent at i*h:4j-4j 




'193 patent at 278:45-51 




'900 patent at 245:23-39 




'683 patent at 43:28-29 




/z l patent at i .z 1 -zo 




'721 patent at 6:5-8 




'721 patent at 6:66-7:7 




Extrinsic Sources 




Webster's New World Dictionary of Computer Terms, 6 th Edition ( 1 997), p. 1 78. 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 178. 


executable programming, 


Patent Specifications 


executable 


'193 patent at 25:39-48 




4 193 patent at 25:57-60 


912 8 912 35 721 34 


'193 patent at 29:24-25 


'193 patent at 73:30-31 




'193 patent at 76:60-67 




l 193 patent at 77:32-36 




'193 patent at 77:50-55 




*193 patent at 78:6-7 




'193 patent at 83:12-18 




'193 patent at 83:43-48 




'193 patent at 86:41-56 




4 193patentat 110:60-111:8 




i yj patent at n i .y- 1 o 




'193 patent at 111:20-34 




'193 patent at 126:30-31 




'193 patent at 136:52-55 




4 1 01 not Ant of l.d(V7 1 1 
1 paiCm at 1HU. /-II 




'193 patent at 141:42-56 




'721 patent at 1:21-28 




'721 patent at 5:34-39 




'7*51 nitant of S • "M C 

j patent at o./*t-Zo 




'912 patent at 329:16-24 




File Histories 




'721 File History, 4/13/99 Amendment, p. 14. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 182. 
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Claim Term / Phrase 


InterTrust Evidence 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Krol, The Whole Internet: User's Guide and Catalog (O'Reilly, 1992), p. 69. 




IBM Dictionary of Computing (McGraw Hill, 1994), p. 250. 




Microsoft Computer Dictionary, 2 nd ed. (Microsoft Press, 1994), p. 153. 




Encyclopedia of Computer Science and Engineering, 2 od ed. (Van Nostrand Reinhold, 




1983), p. 1229. 


execution space, execution space 


Patent Snecifi rati fine 

•i aiciu om^liii v<<i nulla 


identifier 


'193 Datent at 69- 14-22 




* 193 Datent at 69*33-35 


912.8 


'193 Datent at 70*43-44 




4 1 93 Datent at 75 -38-42 




'193 Datent at 87-35-38 




'193 oatent at 88*18^^ 




4 193 oatent at 1 04*39-44 




4 193 patent at 105:55-57 




'193 patent at 106:38-43 




'193 oatent at 107*31-47 




4 193 patent at 107:63-108:7 




'193 patent at 109:27-33 




' 1 93 oatent at 1 1 3-53-62 




'193 natent at 140*15-141 1 1 




'912 patent at 327:59-61 




'912 patent at 327:65-67 




'721 patent at 3:16-19 




'721 patent at 4:51-54 




'721 patent at 5:1-5 




'721 patent at 8:34-40 




File Histories 




'721 File History, 4/19/99 Amendment, p. 14. 


governed item 


Patent Snerifirafinnc 




'683 Datent at 24*33-39 


683.2 


'683 oatent at 27*22-24 




'193 patent at 9:27-31 




'193 patent at 15:46-50 




'193 patent at 33:26-30 




'193 patent at 58:48-57 




4 193 patent at 63:39-44 




'193 patent at 67:56-57 




1 193 patent at 76:37-41 




'193 patent at 126:8-52 




'193 patent at 128:41-46 




l 193 patent at 139:60-140:1 




'193 patent at 159:23-26 




'193 patent at 172:51-55 




'193 patent at 174:15-29 
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Claim Term / Phrase 


InterTrust Evidence 




*193 patent at 241:17-26 
'193 patent at 273:42-46 
'193 patent at 288:11-12 
'193 patent at 296:13-14 
'193 patent at 312:63-66 




File Histories 

'683 file history, 1 1/12/99 Office Action, p. 13. 




USP 6,389,402 File History, 12/6/00 Office Action, pp. 2-3. 




USP 6,363,488 File History, 12/19/00 Office Action, p. 2. 




USP 6,427,170 File History, 3/3/01 Office Action, p. 4. 




Extrinsic Sources 

Wyatt, Computer Professional's Dictionary (Osborne McGraw-Hill, 1990), p. 101 . 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 131. 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 784. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 

Microsoft Computer Dictionary, 2 nd ed. (Microsoft Press, 1994), pp. 107-108. 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 130. 




McNulty, Security on the Internet, Statement Before the Subcommittee on Science, 
Committee on Science, Space, and Technology, U S House of Representatives (Mar. 
22, 1994), p. 9 ("Data Integrity - Verification that the contents of a data item (e.g., 
message, file, program) have not been accidentally or intentionally changed in an 
unauthorized manner"). 


halting 


Patent Specifications 
'900 patent at 154:34-40 


900.155 


Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 816. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
Dictionary of Scientific and Technical Terms, 5 to ed. (McGraw-Hill, 1994), p. 898. 

The American Heritage Dictionary of the English Language (1969), p. 595. 

Dictionary of Computing, 3 rd ed. (Oxford, 1990), p. 201 . 


host processing environment 
900.155 


Patent Specifications 
'900 patent at 21:1-17 
'900 patent at 49:31-48 
'900 patent at 78:30-40 
'900 patent at 87:32-46 
'900 patent at 96:6-18 
'900 patent at 112:2-27 
'900 patent at 112:48-52 

'193 patent at 13:7-23 
•193 patent at 21:5-25 
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Claim Term / Phrase 



InterTrust Evidence 



'193 patent 
4 193 patent 
4 193 patent 
4 193 patent 
'193 patent 
4 193 patent 
4 193 patent 
4 193 patent 
4 193 patent 



at 76:63-67 
at 79:30-46 
at 79:60-81:12 
at 83:47-48 
at 88:31-43 
at 104:39-64 
at 105:25-39 
at 203:63-65 
at 225:43-46 



4 683 patent at 20:16-19 
'683 patent at 29:50-30:3 



identifier, identify, identifying 

193.11, 193.15,912.8,912.35, 
861.58 



Patent Specifications 
'193 patent at 25:31-38 
'193 patent at 68:22-25 
*193 patent at 85:59-63 
'193 patent at 88:31-43 
'193 patent at 131:33-45 
'193 patent at 135:54-58 
'193 patent at 140:35-50 
'193 patent at 207:27-35 
'193 patent at 233:35-41 
4 193 patent at 268:28-42 
4 193 patent at 270:12-21 
'193 patent at 280:58-66 
'193 patent at 298:45-54 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 896. 

Citations from Sources Designated by Microsoft under PLR4-2(b) 
Cooper, Computer & Communications Security: Strategies for the 1990s, p. 375. 

Glossary of Telecommunications Terms (National Communications Systems, 1996), p. 
1-1. 



including 

193.1 (at 320:63, and 32 1:3); 
193.19 (at 324:15); 

912.8 (at 327:36,39, and 41); 
912.35 (330:35 and 39); 
861.58 (at 26:53 and 63); and 

683.2 (at 63:60). 



Patent Specifications 
'193 patent at 58:48-53 
4 193 patent at 126:62-65 
'193 patent at 133:62-134:14 
'193 patent at 136:53-56 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 913 

Citations from Sources Designated by Microsoft under PLR 4-2fb) 

Webster's College Dictionary of Random House (1991), p. 680. 

Funk & Wagnalls Standard College Dictionary (1973-74), p. 680. 

Random House Dictionary of the English Language: College Edition (1968), p. 673. 

Webster's Ninth New Collegiate Dictionary (Merriam-Webster, 1987), p. 609. 
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Claim Term / Phrase 


InterTrust Evidence 


information previously stored 
900 155 


Patent Specifications 
*900 patent at 239:15-55 
'900 patent at 240:3 1-34 

Citations from Sources Designated bv Microsoft under PLR 4-2( trt 


The American Heritage Dictionary of the English Language (1969), p. 1038. 
Webster's College Dictionary of Random House (1991), pp. 691, 1070. 


integrity programming 
900.155 


Patent Specifications 

'900 patent at 228:28-39 
'900 patent at 23 1:23-31 
'900 patent at 233:8-15 
4 900 patent at 236:1 1-13 
'900 patent at 236:31-38 
'900 patent at 236:31-237:53 
'900 patent at 239:4-240:6 
'900 patent at 240:16-42 
'900 patent at 243:29-41 
'900 patent at 243:63-244:43 
'900 patent at 246:52-247:57 

Citations from Sources Designated bv Microsoft under PLR 4-2(bl 


The New IEEE Standard Dictioriarv of Electrical and Flertrrmip T>rm« fTFFF iqq^ 
pp. 304, 663. 

Russell et al., Computer Security Basics (O'Reilly & Associates, 1991), p. 414. 
Neumann, Computer Related Risks (ACM Press, 1995), p. 2. 


key 
193.19 


Patent Specifications 
1 193 patent at 12:35-39 
'193 patent at 22:1-14 
'193 patent at 49:3-4 
4 193 patent at 59:16-18 
1 193 patent at 67:26-31 
'193 patent at 119:17-18 
'193 patent at 129:30-35 
'193 patent at 143:6-9 
'193 patent at 200:1-9 
'193 patent at 200:25-58 
'193 patent at 201:50-55 
'193 patent at 202:38-51 
'193 patent at 207:50-60 
'193 patent at 21 1:18-20 
'193 patent at 21 1:30-216:21 

Extrinsic Sources 

Mambo et al., A Tentative Approach to Constructing Tamper-Resistant Software, pp. 
23-24. 

Parks, Microsoft Corporation, Microsoft® Windows Media™ Device Digital Rights 
Manager v7.1 (WM D-DRM): Overview And Design (WinHEC 2002 Presentation) 
slide 21. 

Davies, Security For Computer Networks: An Introduction to Data Security in 
Teleprocessing and Electronic Funds Transfer, Second Edition, (1984) p 1 13. 
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Claim Term / Phrase 



InterTrust Evidence 



Howard et al., Writing Secure Code, Microsoft Press (2002), p. 175 



Europay International S. A., MasterCard International Incorporated, and Visa 
International Service Association, Integrated Circuit Card Specification for Payment 
Systems (June 30, 1996), Page E-3 

The International Telegraph And Telephone Consultative Committee, Security 
Architecture For Open Systems Interconnection For Ccitt Applications, (1991), p.5 

Ehrsam et al., A cryptographic key management scheme for implementing the Data 
Encryption Standard, IBM Systems Journal 17, No. 2, 106-125, pp. 128-130. 

Banking - Personal Identification Number management and security - Part 1 : PIN 
protection principles and techniques (International Organization of Standardization, 
ISO 9564-1 1991-12-15, First Edition) pp. 3 and 20. 

USP 4,168,396 (Best) at 2:7-9 

USP 5,509,070 (SchuU) at 15:1-12 

http://msdn.nncrosoft.com/library/default. asp?url=/library/en- 
us/security/security/diffie_hellman_keys.asp (Oct. 2002) 

Diffie and Hellman, New Directions in Cryptography, IEEE Transactions on 
Information Theory, v.!T-22, n.6 (Nov. 1976), pp. 644-654. 

Schneier, Applied Cryptography, 2 nd ed. (Wiley, 1996), pp. 170-175, 189-211, 265- 
278,397-398,513-516. 

National Bureau of Standards, NBS FIPS PUB 81, DES Modes of Operation, US 
Department of Commerce (Dec. 1980). 

Telecom Glossary 2000, Technical Subcommittee on Performance and Signal 
Processing (American National Standard for Telecommunications, Feb. 2001), see 
entries for "derivation key," "key encrypting key pair," "key production key," "variant 
of a key," "key encrypting key," "master key," "linear key," "key type," "seed key." 
On the web at http://www.atis.org/tg2k/_derivation_key.html et seq. 

Citations from Sources Designated by Microsoft under PLR 4-20>) 

National Information System Security (INFOSEC) Glossary, NSTISSI No. 4009 (Sept. 
2000), p. 32. 

Glossary of Telecommunications Terms (National. Communications Systems, 1996), 
pp.K-1, K-2.M-15. 

■Shirey, Internet Security Glossary, Network Working Group, RFC 2828 (May 2000), 
p. 49. 

Freedman, The Computer Glossary: The Complete Illustrated Desk Reference, 6 th ed. 
(Computer Language Co., 1992), p. 297. 

Pfleeger, Security in Computing (Prentice Hall, 1989), p. 398. 

Cooper, Computer & Communications Security: Strategies for the 1990s (Intertext 
Publications/Multiscience Press, 1989), pp. 334-335. 
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Claim Term / Phrase 


InterTrust Evidence 


load module 


Patent Specifications 




'193 patent at 17:15-21 


912.8, 721.1 


'193 patent at 18:28-33 


4 193 patent at 25:39-52 




'193 patent at 25:57-63 




'193 patent at 34:26-37 




'193 patent at 50:65 




'193 patent at 71:26-31 




'193 patent at 77:21-25 




'193 patent at 85:21-29 




4 193 patent at 86:36-60 




'193 patent at 110:60-67 




'193 patent at 111:59-65 




'193 patent at 126:15-31 




'193 patent at 136:52-60 




'193 patent at 139:14-142:38 




'193 patent at 151:19-22 




'72 1 Datent at 3 -2 1 -35 




'721 t>atent at 4*5-9 




'721 patent at 4:22-42 




'721 patent at 5:26-39 




'721 patent at 14:39-60 




filp Tf ictnripc 
jt lie xiisiui m 




09/342,899 File History, 6/12/00 Office Action, p. 4 (citing USP 5,748,960 at 6:63- 




67V see also USP 5 748 960 at 1*33-52* 9*14-19* 11*15-25- 14*47-59- and 16*2^9 




09/328,668 File History, 5/16/01 Office Action, p. 4. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 287. 


machine check programming 


Patent Soecifications 




'900 patent at 23 1 :23-3 1 


900.155 


'900 patent at 233:8-15 




'900 patent at 236:11-13 




'900 patent at 236:31-237:53 




'900 patent at 239:4-240:6 




'900 patent at 240: 1 6-42 " 




'900 patent at 243:29-41 




900 patent at 243:63-244:43 




'900 patent at 246:52-247:57 


opening secure containers 


Patent Specifications 




'683 patent at 8:28-31 


683.2 


'683 patent at 9:59-61 


'683 patent at 13:6 




'683 patent at 15:67-16:4 




'683 patent at 18:42-49 




'683 patent at 42:34-52 




'683 patent at 49:31-38 




'683 patent at 56:17-25 




.'193 patent at 183:24-25 




'193 patent at 184:6-22 
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Claim 1 erm / Jrtirase 


Interl rust Evidence 




'193 patent at 185:11-12 




'193 patent at 254:45-46 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 




1 983), p. 1051. 


operating environment 


Patent Specifications 




'193 patent at 34:37-41 


oy 1.1 


'193 patent at 34:54-59 


'193 patent at'63: 13- 17 




Extrinsic Sources 




Webster's New World Dictionary of Computer Terms, 6 th ed. (1997), p. 370. 


organization, organization 


Patent Specifications 


information, organize 


'861 patent at 5:57-6:7 




'861 patent at 7:54-58 


861.58 


'861 patent at 10:38-53 


' 86 1 patent at 14:1 4-29 




'861 patent at 28:34-43 




'861 patent, Abstract 




'193 patent at 33:43-49 




'193 patent at 103:23-32 




'193 patent at 127:17-19 




'193 patent at 232:63-233:1 




'193 patent at 274:54-58 




'193 patent at 294:4 1-45 




'193 patent at 302:2-12 




'193 patent at 309:4-9 


portion 


Patent Specifications 




'193 patent at 23:66-24:2 


193.1, 193.11, 193.15, 193.19, 


'193 patent at 24:41-43 


moo ah ic o^i co 

912.8, 912.35, 861.58 


* 1 93 patent at 46:22-24 


'193 patent at 59:34-37 




'193 patent at 128:49-55 




'193 patent at 226:14-16 




'193 patent at 299:19-31 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1412. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Webster's College Dictionary of Random House (1991), p. 1052. 

- 




Funk & Wagnalls Standard College Dictionary (1973-74), p. 1052. 


prevents 


Patent Specifications 




'721 patent at 6:56-62 


721.34 






Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, .1992), p. 1436. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
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\_ldlllJ i ci in / s in asc 


unci i rusi Z/Viucncc 




Webster's College Dictionary of Random House ( 1 99 1 ), p. 1 070. 




Random House Dictionary of the English Language: College Edition (1968), p. 1050. 


processing environment 


Patent Specifications 




'193 patent at 13:17-23 


912:35, 900:155,721:34, 683.2 


'193 patent at 75:65-76:9 


193 patent at 79:36-39 




'721 patent at 1:21-28 




File Histories 




USP 5,915,019 File History, 4/15/98 Office Action, p. 4. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 383. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




IBM Dicnonary of Computing (McGraw Hill, 1994), p. 533. 


protected processing environment 


Patent Specifications 


721:34, 683.2 


'193 patent at 13:7-14 




'193 patent at 13:17-23 




*193 patent at 79:24-83:9 




'193 patent at 105:15-41 




' 1 93 patent at 223:30-225 : 1 9 




'193 patent at 226:43-57 




'193 patent at 277:26-32 




4 193 patent at 278:45-65 




'193 patent at 283:44-46 




'193 patent at 291:39-49 




'193 patent at 298:9-10 




M93 patent at 318:1-5 




'683 patent at 12:59-61 




'683 patent at 16:60-62 




'683 patent at 29:51-30:3 




'721 patent at 3:16-21 




'721 patent at 8:33-40 




File Histories 




ii\ rue History, Amendment, p. 13. 


protecting 


r^xirinstic sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1456. 


683.2 




record (n.) 


Patent Specifications 




'193 patent at 134:54-58 


912.8,912.35 


'193 patent at 138:12-139:13 


4 193 patent at 264:20-57 




'193 patent at 324:64-67 




File Histories 




'912 File History, 12/24/97 Office Action, pp. 2-3 (citing USP 5,629,980); see also 
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Claim Term / Phrase 



InterTrust Evidence 



USP 5,629,980 at 9:6-11:29. 

*912 File History, 6/24/98 Amendment, pp. 73-74. 

'912 File History, 9/22/98 Office Action, pp. 2-3 (citing USP 5,748,960); see also USP 
5,748,960 at 1 1:7-13 and 12:46-48). 

Extrinsic Sources 

Personal Computer Dictionary (1995), p. 149. 

Citations from Sources Designated by Microsoft under PLR 4-2fb) 

The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1993), 

p. 1087. 

Hutt et al., Computer Security Handbook, 2 nd ed. (1987), p. 389. 

Telecommunications: Glossary of Telecommunications Terms (National 
Communications Systems, 1996), p. R-10. 

Hansen, The Dictionary of Computing and Digital Media: Terms and Acronyms 
(1999), p. 261. 

Dictionary of Scientific and Technical Terms, 5 th ed. (McGraw-Hill, 1994), p. 1664. 

Illustrated Dictionary of Computing, 2 nd ed. (Prentice Hall, 1992), p. 505. 

Laplante, Dictionary of Computer Science, Engineering and Technology (2001), p. 
410. 

Webster's New World Dictionary of Computer Terms, 4 th ed. (1992), p. 349. 

Longley et al., Information Security: Dictionary of Concepts, Standards and Terms 
(Stockton Press, 1992), p.437. 

IBM Dictionary of Computing (McGraw Hill, 1994), p. 561. 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), p. 1272. 



Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1533. 

Citations from Sources Designated by Microsoft under PLR 4-2 fb) 

Random House Dictionary of the English Language: College Edition (1968), p. 1 121. 



resource processed 


Patent Soeciflcations 




'193 patent at 7:48-57 


891.1 


4 193 patent at 21:5-25 


4 193 patent at 29:3-8 




'193 patent at 38:60-39:8 




'193 patent at 40:1-7 




'193 patent at 57:49-51 




'193 patent at 64:2-5 




4 193 patent at 69:63-65 




*193 patent at 51:61 




4 193 patent at 72:39-44 




4 193 patent at 74:28-37 




4 193 patent at 75:5-8 



required 
912.8, 861.58 
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Claim i erm / rnrase 


InterTrust Evidence 




4 193 patent at 75:15-30 




4 193 patent at 75:42-47 




'193 patent at 76:61-77:11 




4 193 patent at 77:57-63 




4 193 patent at 79:36-39 




•193 patent at 79:50-54 




4 193 patent at 79:64-67 




'193 patent at 80:9-12 




4 193 patent at 80:30-35 




'193 patent at 81:14-19 




'193 patent at 81:32-35 




4 193 patent at 88:50-52 




'193 patent at 89:49-55 




4 193 patent at 90:31-46 




4 1 93 patent at 9 1 : 1 2-25 




*193 patent at 94:14-18 




4 1 93 patent at 1 00:32-35 




4 193 patent at 100:46-54 




4 193 patent at 101:38-42 




4 193 patent at 104:49-52 




4 193 patent at 104:59-64 




4 193 patent at 108:1-4 




4 193 patent at 141*49-55 




4 1 93 patent at 20 1 :47-49 




'193 patent at 201:57-58 




4 193 patent at 241:52-55 




4 1 93 patent at 252:60-62 




'193 patent at 258*45-52 




4 193 patent at 276:53-58 




4 193 patent at 282:20-24 




'193 Datent at 283*23-28 




4 1 93 patent at 283:40-44 




4 193 patent at 284:16-28 




4 193 patent at 313:3-18 




'193 patent at 314:33-39 




File Histories 




*891 File History, 12/20/96 Office Action, p. 2. 




USP 6,363,488 File History, 1 2/19/00 Office Action, p. 2. 


rule 


Patent Specifications 




'683 patent at 6:1 1-22 


861.58, 683.2 


4 683 patent at 11:37-38 . 


4 683 patent at 15:22 




*683 patent at 24:26-33 




'683 patent at 45:60-63 




4 683 patent at 47:42-45 




4 683 patent at 54:29-37 




4 683 patent at 55:23-26 




'193 patent at 53:53-59 




4 193 patent at 59: 1-5 




4 193 patent at 149:24-40 




4 193 patent at 241:11-14 




4 193 patent at 24 1:29-36 




4 193 patent at 242:9-61 



26 




Claim Term / Phrase 






i5o patent at Z43.4- / 




lyj patent at Z43.D /-Oz 




iyj patent at zj3.y-3U 




lyj patent at ZJ3..34-4U 




iyj patent at zj,3.40-4y 




'861 patent at 1 :53-60 




'861 patent at 2:13-36 




861 patent at 6:19-23 




ooi patent at 0:00-10:? 




'861 patent at 18:26-44 




'861 patent at 20:38-51 




* 861 patent, Abstract 




File Histories 




'683 File History, 1 1/12/99 Office Action, pp. 4, 6 (citing USP 5,412,717 at 10:8-39); 




see also USP 5,412,717 at 2:24-48 and 12:24-44. 




USP 6,427,140 File History, 3/30/01 Office Action, pp. 3-4. 




USP 6,138,1 19 File History, 10/26/99 Office Action, p. 4. 




USP 6,138,1 19 File History, 4/26/00 Office Action, p. 9. 




App. No. uy/4yo,3oy, V30/02 Utrice Action, p. 3 (citing 5,765,152 patent at 4:61-5:4). 




uor o,3oy,**uz rue History, iz/o/uu umce Action, pp. 2-3, o (citing UoP 3,790,700 




ortH T TCP ^ AOO OCA 4t /I TV oaa T TOTJ 1 "7AA "7AA n + C. 1 >1 ID 1 C A£L J T Tori 

ana usr D,ozy,you at 23.3 /-42j, see also Uor 3,/yu,/00 at 5:14-18, 35-46; and USP 




5,ozy,yo0 at 23:9-42. 


secure 


Patent Specifications 




193 patent at 8:1-7 


193.1, 193.11, 193.15,912.35, 


193 patent at 12:33-39 


861.58, 891.1,683.2, 721.34 


193 patent at 13:54-57 


- 


193 patent at 17:33-37 




193 patent at 17:67-18:5 




1 93 patent at 2 1 :26-29 




193 patent at 22:15-19 




1 93 patent at 4 1 : 3 7-42 




iy3 patent at 42:8-16 




iy3 patent at 45:19-32 




193 patent at 45:39-45 




iy3 patent at 45:52-59 




iyi patent at 4o:4-5 




i7 j patent at 4y:33-55 




i73 patent at 4y:!>y-o2 




iyj patent at 5y.4o-5y 




iyj patent at o3:35-3y 




iyj patent at o3:4o-o4:4 / 




iyi patent at 68:oo-o9:22 




l y3 patent at 7 1 :3 1 -40 




4 1 93 Datent at 7 V 1 9-17 




'193 patent at 81:12-19 




4 193 patent at 77:30-78:18 




4 193 patent at 80:22-81:19 




4 193 patent at 83:44^*8 




4 193 patent at 84:60-85:2 




4 193 patent at 87:33-66 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 88:36-43 
4 193 patent at 125:60-64 
'193 patent at 126:6-8 
4 193 patent at 126:30-32 
4 193 patent at 199:36-200:9 
' 193 patent at 200:66-201:4 
4 193 patent at 203:58-204:2 
4 193 patent at 2 16:22-2 17: 12 
'193 patent at 221:1-37 
'193 patent at 226:55-56 
'193 patent at 233:25-30 
'193 patent at 233:51-54 
'193 patent at 238:46-65 

'721 patent at 1:19-28 

File Histories 

App. No. 09/328,668, 5/16/01 Office Action, p. 2 (citing USP 5,388,21 1 at 5:35-40). 
'683 File History, 1 1/12/99 Office Action, p. 1 1 . 
Extrinsic Sources 

Webster's New World Dictionary of Computer Terms, 6 th Edition (1997), p. 463. 
Citations from Citations from Sources Designated bv Microsoft under PLR 4-2rtrt 


The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1993) 
p. 1181. 

Cooper, Computer & Communications Security: Strategies for the 1990s, p. 383. 

Freedman, The Computer Glossary: The Complete Illustrated Desk Reference 
(Computer Language Co., 1992), p. 460. 

Dictionary of Computing, 3 rd ed. (Oxford, 1990), p. 406. 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), pp. 493-497. 

Landwehr, Formal Models for Computer Security, ACM Computer Surveys (Sept. 3, 
1981), pp. 247, 253. 

Mullender, Distributed Systems, 2nd ed. (Addison-Wesley, 1993), p. 420. 

Hurt et al., Computer Security Handbook, pp. 75, 201, 218, 221, 292-93. 

Hoffman, Modern Methods for Computer Security and Privacy (Prentice-Hall 1977) 
p. 170. 

Garfinkel et al., Practical Unix Security (O'Reilly & Associates, 1991), pp. 12-13. 
Neumann, Computer Related Risks (ACM Press, 1995), pp. 2, 96. 
Tanenbaum, Modern Operating Systems (Prentice Hall, 1992), p. 182. 


secure container 


Patent Specifications 
'683 patent at 7:10-13 
*683 patent at 9:59-61 
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Claim Term / Phrase 


InterTrust Evidence 


912.35, 861.58, 683.2 


'683 patent at 15:61-16:4 




'683 patent at 18:49-56 




'683 Datent at 25*29-34 




'683 Datent at 25 62 -26*4 




'683 natent at 29*64-66 




4 683 Datent at 53*3-5 




1 1 93 natent at 8 • 1 -7 




4 193 natent at R*S3-fifi 




"193 natpnt at 17-40-43 

is j paiciii ai lA.tU^tJ 




*193 natent at 1 3*44-14*4 
i/j paicm dl i J ,*t*t- i*t.*t 




* 1 03 natpnt at 1 V3Q-4n* 
i"J pdlcul al i J*Dy-*r\j 




* 1 03 natpnt at 1 7*46-^ 
i/j paicm al i /.HO'JJ 




1 1 03 natpnt at 10-1 ^.37 
i J* 7 J pdicm al ly.l 




'103 natpnt at 77*70.7f 
17j pdlCUl al ^Z.^iJ'Zj 




*103 natpnt at 74*64 7V7 
1 7 j paicm al zh.Ot-aj.a 




'103 natpnt at 31 3? -3 
i/j pdicni di ji.qO'jZ.j 




* 103 natpnt at 33*94 9 A 

17J pdlCIll al JJ.^T'^U 




* 1 03 natpnt at 34- 1 3-4 Q 
iyj pdicni al oh* i j-Hy 




4 1 03 natpnt at 43 OA 3? 




'103 natpnt at ^9*S^ $6 
iyj paicm ai jx.jj-ju 




4 103 natpnt at ^R*37 ^Q*-\ 
17J pdlCUl al Do. j /-J7.J 




*103 natpnt at 103-47 

17J pdlCIll dL lUJ.t / VO 




1 1 03 natpnt at 1 A4* 1 7 78 
i"J pdlcul al I"Lrr.lZ-Zo 




1 1 03 natpnt at 1 ?A> 1 **? 7R 
i"J pdicni al IZO.i j-Zo 




* 103 natpnt at 1 77*7 134-73 

17J pdlCIll dl 1Z/.Z-1jH.Zj 




' 103 natpnt at 1 78*1 1 71 
i 7j pdicni di izo.i l -z i 




1 103 natpnt at 1 80*7*1 70 
iyj pdicni al lo". Zj-Z*7 




* 1 03 matAnt at 741 **\ 1 *\ 
I yj pdlcul al Z**4 1 ..)- 1 J 




M03 natpnt at 7/vd*4fi_4Q 
pdicni di zoh .*r\j-Hy 




* 1 03 natpnt at 774 • **\4 1 
pdicni al Z /*t.j #s f-Oi 




* 1 03 natpnt at 777* 1 3 1 
1 pdicni al Z / / . 1 J>- 1 J 




*193 patent at 284:8-16 




4 193 patent at 291:29-33 




1 103 natpnt at 707*77-47 

iyj pdLCIll dl Z7Z.Z /—*t / 




' 1 03 natpnt at 301 *3n* *"7 
i ^ J paicm ai Jul . J / 




1 193 patent at 3 13:33-36 




'193 patent at 3.14:43-49 




•1Q3«ar*»n* at317**\7 712. C 

i y o pdicni ai jj / .j/oio.o 




4 861 patent at 2:12-16 




'861 patent at 5:26-30 




'861 patent at 6:24-29 




Extrinsic Sources 




USP 5,634,019 at 7:34-49 




Microsoft Computer Dictionary 3rd ed ('Microsoft Prpss 1 007^ n 1 1 ^ 




File Histories 




*683 File History, 1 1/12/99 Office Action, p. 4, 6, 12 (citing USP 5,412,717); see also 




USP 5,412,717 at 5:3-37. 




4 861 File History, 6/25/98 Office Action, p. 5 (citing USP 5,537,526); see also USP 




5,537,526 at 15:63-16:25. 




USP 6,363,488 File History, 12/19/00 Office Action, pp. 3-4. 
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Claim Term / Phrase 


InterTrust Evidence 




USP 6,237,786 File History, 7/1 7/00 Office Action, pp. 2-3 (citing USP 4,8 1 7,508); 
see also-USP 4,817,508 at 8:61-9:2; 9:32-36; 19:8-26; and 21:39-55. 

09/764,370 File History, 1/18/01 Amendment, pp. 17-19. 

USP 6,427,140 File History, 3/30/01 Office Action, p. 3. 

09/819,063 File History, 9/27/00 Preliminary Amendment, pp. 21-22. 

09/498,369 File History, 5/30/02 Office Action, p. 3 (citing USP 5,765,152 at 4:61- 
5:4); see also USP 5,765,152 at Fig. 7D. 

USP 6,1 12,181 File History, 12/31/98 Office Action, p. 15 (citing USP 5,740,549 at 
16:45-54). 

USP 5,915,019 File History, 4/15/98 Office Action, pp. 3-4 (citing USP 5,31 1,591 at 
2:14-46). 


secure container governed item 
683.2 


Patent Specifications 

'193 patent at 58:38-58 


secure database 
193.1, 193.11, 193.15 


Patent Specifications 
'193 patent at 50:54-55 
'193 patent at 51:11-40 
'193 patent at 62:66-63:7 
'193 patent at 69:56-62 
'193 patent at 71:28-40 
'193 patent at 72:14-25 
'193 patent at 88:27-28 
'193 patent at 90:16-20 
'193 patent at 100:21-101:31 
'193 patent at 157:24-30 
'193 patent at 120:59-66 
'193 patent at 123:64-125:2 
'193 patent at 126:6-67 
'193 patent at 142:67-143:46 
'193 patent at 148:34-43 
'193 patent at 153:33-154:49 
'193 patent at 156:26-169:18 
'193 patent at 205:60-64 
'193 patent at 21 1:3-9 
'193 patent at 215:34-43 
'193 patent at 215:58-218:30 
'193 patent at 226:26-42 

File Histories 

09/342,899 File History, 6/12/00 Office Action, pp. 4-5. 

'193 File History, 6/7/00 Office Action, p. 2 (citing USP 4,595,950); see also USP 
4,595,950 at 4:38-54; 8:52-68; and 14:49-15:1 1. 

'683 File History, 1 1/12/99 Office Action, pp. 5-6. 
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Claim Term / Phrase 


InterTrust Evidence 




'900 File History, 8/27/98 Office Action, p. 7 (citing USP 5,048,085 at 6:55-7:14). 




'900 File History, 12/9/97 Office Action, pp. 5, 10 (citing USP 5,655,077 at 3:60-67 




and USP 5,572,673); see also USP 5,655,077 at 4:24-59; and USP 5,572,673, Abstract 




Extrinsic Sources 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 129. 




Wyatt, Computer Professional's Dictionary (Osborne McGraw-Hill, 1990), p. 98. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 




1983), p. 441. 




Hansen, The Dictionary of Computing and Digital Media: Terms and Acronyms 




(1999), p. 74. 


secure execution space 


Patent SDecificatinn*? 




'721 Datent at 6*34-41 


721.34 


'721 patent at 6:49-52 




'721 Datent at 7*14-25 




'721 patent at 8:33-40 


secure memory, memory 


Pntpnt Rnppifira tinnc 

± Alvlll UUIla 




'19^ natpnt at 1V7-14 


193.1, 193.11, 193.15 


1 1 93 Datent at 2 1 ■ 1 7-42 


'193 oatent at 22*15-19 




'193 oatent at 23-4V50 




' 1 93 catent at 32 ■ 1 5-2 1 




'193 oatent at 49-15-17 








'193 Datent at 59*42-*59 




* 1 93 oatent at 60* 1 




' 1 93 oatent at 62 * 1 4-24 




'193 oatent at 62*43-57 




'193 oatent at 63*60-64*5 

A *r *J L/U I will m • v * 




' 1 93 Datent at 65 -64-66-4 




' 1 93 oatent at 69 * 1 4-22 




'193 oatent at 69*25-51 




* 193 patent at 69:54-59 




'193 Datent at 69*65-71*47 




'193 patent at 71:48-60 




'193 patent at 72:52-73:22 




'193 patent at 79:60-81:1 1 




'193 patent at 81:12-19 




'193 patent at 88:62-66 




'193 patent at 104:49-64 




'193 patent at 109:24-60 




'193 patent at 110:47-49 




'193 patent at 111:12-16 




'193 patent at 120:60-63 




'193 patent at 121:41-43 




'193 patent at 125:60-67 




'193 patent at 169:3-12 




'193 patent at 206:8-11 




'193 patent at 216:56-217:20 




'193 patent at 238:4-15 
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Claim Term / Phrase 


InterTrust Evidence 




File Histories 




4 900 File History, 6/9/98 Amendment, pp. 7-8. 




'900 File History, 8/27/98 Office Action, p. 3 (citing USP 5,048,085 at 6:61-7:14). 




09/698,044 File History, 10/27/00 Amendment, p. 14. 




09/272,998 File History, 10/1 1/01 Office Action, p. 3. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 302. 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992) pp 1126 1631- 




1632. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Cooper, Computer & Communications Security: Strategies for the 1990s, p. 386. 




Hansen, The Dictionary of Computing and Digital Media: Terms and Acronyms 




(1999), p. 329. 




Dictionary of Scientific and Technical Terms, 5 th ed. (McGraw-Hill, 1994), p. 2136. 




Webster's Ninth New Collegiate Dictionary (Merriam- Webster, 1987), p. 1317. 




Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold 




1983), p. 968. 


secure operating environment, 


Patent Specifications 


said operating environment 


'193 patent at 13:37-41 




4 193 patent at 69:33-35 


RQ1 1 


4 193 patent at 83:44-48 




File Histories 




'912 File History, 12/24/97 Office Action, p. 3. 


securely applying 


Patent Specifications 




'193 patent at 9:40-45 


RQ1 1 

07 J . 1 


*193 patent at 18:60-19:1 




4 193 patent at 19:13-21 




'193 patent at 22:48-58 




4 193 patent at 26:59-67 




4 193 patent at 28:8-15 




4 193 patent at 30:38-41 




4 193 patent at 30:55-65 




4 193 patent at 33:10-24 




4 193 patent at 33:30-37 




4 193 patent at 43:41-43 




'193 patent at 45:7-9 




4 193 patent at 54:36-38 




4 193 patent at 57:27-28 




4 193 patent at 59:34-37 




4 193 patent at 120:15-18 




'193 patent at 283:33-39 




4 193 patent at 299:19-51 




4 193 patent at 300:6-30 
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Claim Term / Phrase 


InterTrust Evidence 




* 1 Ql r\nt/»r»t at lflfi-1 7 

i yj paieni al jUo. 1 - / 


securely assemuiing 


r aienr dpeciiicaiions 




i~rj patent ai zj.j /-zo. iz 


912.8,912.35 


Lyj paieni at oj.^o-oj.oy 


i y.5 paieni at 50.oo-oo.zi 




493 patent at 1 12:46-1 13:62 




'193 patent at 115:43-116:51 




4 193 patent at 126:34-36 




4 193 patent at 138:32-36 




'193 patent at 159:61-160:8 




'193 patent at 250:21-34 




iyo paieni ai zouoo-n/ 


securely processing 


Patent Specifications 




4 193 patent at 79:24-81:12 


RQ1 1 


'193 patent at 104:39-64 


'193 patent at 105:15-20 




File Histories 




'900 File History, 12/9/97 Office Action, p. 6 (citing USP 5,486,622); see also USP 




5,486,622, Abstract 


securely receiving 


Patent Specifications 




1 y5 patent at 5 :4-o 


891.1 


193 patent at 12:33-39 


193 patent at 13:54-57 




193 patent at 55:52-54 




193 patent at 57:27-36 




193 patent at 60:33-48 




193 patent at oz:3z-3y 




iy3 patent at o/.zl-5z 




1V3 patent at oe:o5-oy:l 1 




iy3 patent at /5.05-/0.1 




iy3 patent at /o:iu-3Z 




* 1 G1 nntan i n f "7T.in 7l /I 

iyj patent at //.3U-44 




iV3 patent at oi.zo-3Z 




MQ1 n*)tan( CI. CI QA 

iyj patent at o3.j3-o4 




1 y3 patent at y 1 :3o-5 1 




* 1 01 nniont nf O/C . 1 C 

iy^ patent at yo. 10 




iyj patent at yo. iz-i / 




* 1 Ol o* 1 A1 .Cyl 1 flO'O C 

iy3 patent at iui.54-iuz.zj 




* 1 01 nitanf ni 1 AO *A 1 CI 

iyj patent at iuz.4ioi 




*1G1 nntortt o+ l/Vt-OO IT 

iyj patent at iu4.zy-3/ 




* 1 01 notonf of 1 1 0 'A. A 1 1 Q'A 0 

iyj patent at 1 16.04-j iy. hz 




* 1 01 notont at 101*00 Ofi 

iyo paieni at izj.zz-zo 




* 1 Ol nitant Q t 101-CO. CA 

iyj paieni at izj.duoo 




iyj paieni ai ijd.ji-ijo.z 




'193 natent at 160-65-161 *51 




'193 patent at 162:39-65 




'193 patent at 162:66-163:35 




'193 patent at 200:66-201:42 




'193 patent at 211:39-212:10 




'193 patent at 214:57-67 




'193 patent at 218:31-220:19 
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4 193 patent at 225:50-226:36 




4 193 patent at 227:25-228:30 




4 193 patent at 233:25-32 




*107 notont of 7QT.C/C C. 1 

i7j paieni at zoz.do-oi 




4 193 patent at 283:61-65 




'lOl nntpnt at 7Q(V/l/\ A 7 

i7j pdicm ai zyu.*to-oz 




07 1 palcm al jZi.JU'Oj 




iLxtrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1508. 


security level, level of security 


Patent Specifications 




'721 patent at 6:16-62 


721.1; 721.34, 912.8 


l 77l natant of K.TO 1"7.C 

/zi patent at io.3o-i /:5 


/zi patent ax i /.Z4-4U 




'771 notont of 1 B .j4j4 Ift.lA 

/zi paieni at 1 0.44-1 y.iu 




'771 natpnt nt 1Q-7A 77 




1 1 07 nitont Hfl.K 1/11.11 

iyj patent at 14U. 15-141 :i l 


tamper resistance 




Patent Specifications 




'721 patent at 3:16-19 


721.1,721.34, 900.155 


'721 patent at 4:40-42 


Hi patent at 5: 1-6 




/z J patent at 6:25-30 




III patent at 6:34-41 




til patent at 6:53-56 




/zi patent at 16:3o-17:5 




193 patent at 20:53-57 




iy3 patent at 21:23-37 




1 y 3 patent at 22 : 1 -6 




iy3 patent at 4y: 15-31 




iy3 patent at 59:40-59 




ly$ patent at 63:60-64:5 




lyi patent at /3:30-31 




iyi patent at 77:34-38 




4 193 patent at 80:22-81:11 




'193 patent at 87:41-60 




iyj patent at i 1U:4 /-4y 




*1Q7 nitont of 1 AT 

iso patent at 1 14.5 /-oz 




* 1 Q7 nstPTit at 1 ")ri- 171-1 

j yj patent at l zu. jy- izi.i 




1 1 Q7 natP-nt of 1 7/Y7C 71 




4 1 07 natpnt at 7 1 B-77 A 7 

1 7j pdicm at z l o. jj*o j 




'683 patent at 3:27-34 




* A87 natAnt «t C,l 1 n 

oo j patent at 5:1 i-j / 




*fiR7 nntf»nt at B-0 1 fi 

qoj paieni at o.y-iu 




'683 patent at 16:58-62 




'683 patent at 20:16-19 




4 683 patent at 29:55-30:3 




File Histories 




'900 File History, 12/9/97 Office Action, p. 9 (citing USP 4,864,494, Abstract; 4:13- 




40; 6:21-65; and 7:15-47). 
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'900 File history, 8/27/98 Office Action, p. 3 (citing USP 5,048,085); see also USP 
5,048,085 at 6:55-7:19 

USP 5,917,912 File History, 9/22/98 Office Action, p. 4. 

'683 File History, 1 1/12/99 Office Action, p. 5 (citing USP 5,499,298, Abstract and 
6:45-7:9). 

Extrinsic Sources 

Kent, Protecting Externally Supplied Software in Small Computers, Doctoral Thesis 
(Sept. 22, 1980), p. PA00000362. 

Aucsmith, Tamper Resistant Software: An Implementation (1996), p. PA00002323 

Mambo et al., A Tentative Approach to Constructing Tamper-Resistant Software, 
School of Information Science, Japan Advanced Institute of Science and Technology, 
1-1 Asahidai Tatsunokuchi Nomi, Ishikawa, p. PA00005363 

USP 5,594,227 at 2:42-48. 

Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


Hensley et al, SCP Software Protection User's Guide (Sept. 18, 2000), pp. MSI 140484 
-MSI140485. 


tamper resistant barrier 
721.34 


Patent Specifications 
'721 patent at 5: 1-6 

' 193 patent at 59:48-59 
4 193 patent at 63:47-64:5 
4 193 patent at 64:13-31 
' 193 patent at 71:32-40 
'193 patent at 79:49-50 
lvi patent at 50:22-65 

File Histories 

'721 File History, 4/13/99 Amendment, p. 14. 
09/272,998 File History, 10/1 1/01 Office Action, p. 3. 
'900 File History, 8/27/98 Office Action, p. 3. 


tamper resistant software 
900.155 


Patent Specifications 
'900 patent at 87:61-88:33 
'900 patent at 230:57-65 
'900 patent at 233:24-33 
'900 patent at 235:27-236:29 

'683 patent at 29:50-30:3 

Extrinsic Sources 

Aucsmith, Tamper Resistant Software: An Implementation (1996), p. PA0O002323 

Mambo et aL, A Tentative Approach to Constructing Tamper-Resistant Software, 
School of Information Science, Japan Advanced Institute of Science and Technology, 
1-1 Asahidai Tatsunokuchi Nomi, Ishikawa, p. PA00005363 

USP 5,991,399 at 4:14-23; 5:47-55. 
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use 


Patent Specifications 






4 683 patent at 63:35-67 






4 193 patent at 324:8-37 




891.1,683.2, 721.1 






Extrinsic Sources 






The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1966. 




user controls 


File Histories 






4 683 File History, 1 1/12/99 Office Action, p. 4. 




683.2 






valiflitv 


Patent Snecificstinnc 






4 1 93 Datent at 38-27-29 




912.8 


* 193 Datent at 41-37-42 






4 193 Datent at 67*56-60 






* 193 natent at 77*30-41 






' 193 natent at 78*6-14 






4 193 Datent at 85-42-67 






4 193 Datent at 87-52-62 






4 193 Datent at 1 1 1*59-1 12*12 






* 193 natent at 112-37-59 






4 193 Datent at 1 19-66 






*193 natent at 120-59-1 21-"* 






4 193 Datent at 1^7- 54-67 






4 193 patent at 152:10-37 






4 193 Datent at 152*40-153*8 






4 1 93 Datent at 1 5 7 -42-4 5 






4 1 93 patent at 1 57:57-67 






4 193 patent at 164:35-40 






4 193 Datent at 217*51-52 






4 193 oatent at 218-1-15 






4 193 patent at 220:47-52 






4 1 93 Datent at 3 1 8 ■ 5 9-62 




Virtual HiQfriHnrirtn ^n\"iTr*r»m*»rit 


Patent Sneciflratinnc 

* ui *' , h c7|jtv.iii v-« nulla 






4 900 Datent at 2 • 1 9-3 1 




900.155 


4 900 oatent at 2*5 1-56 






4 900 patent at 3:18-45 






4 900 patent at 3:60-4:4 






4 900 patent at 4:10-13 






4 900 patent at 4:45-5:45 






4 900 patent at 6:29-42 






4 900 patent at 7:10-12 






4 900 patent at 7:34-8:7 






'900 patent at 8:58-9:2 






4 900 patent at 9:8-58 






4 900 patent at 11:36-47 






( 900 patent at 13:26-49 






'900 patent at 13:58-62 






4 900 patent at 21:41-46 






4 900 patent at 43:43-46 






4 900 patent at 43:57-44:6 






4 900 patent at 46:48-52 






4 900 patent at 48:65-49:2 






■900 patent at 50:1-3 






4 900 patent at 50:30-32 






4 900 patent at 53:39-54:36 
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'900 patent at 55:63-56:5 




'900 patent at 56:66-57:8 




'900 patent at 57:15-17 




l 900 patent at 61:19-21 




l 900 patent at 87:61-88:47 




'900 patent at 280:9-46 




'900 patent at 302: 1 7-24 




'900 patent at 303:40-61 




'900 patent at 316:36-45 




4 900 natent Ahstraet 




'193 patent at 13:46-50 




'193 natent at 13*54-57 




'193 patent at 16:49-56 




File Histories 




'721 Filp HUtnrv 4/1 3/99 Ampnrlmpnt n 13 




'891 File History, 9/25/96 Office Action, pp. 1-3. 




'89 1 File History, 6/20/97 Amendment, p. 1 . 




USP 5,915,019 File History, 1 /8/97 Amendment, p. L 


'193:1 




rpppivino a riioifal flip inrlnHiTio 


Pafpnt *5nppifir*nt"nnc 




* 1 93 natent at 1 *4fi--*i2 




' 1 93 natent at 1 *61 -63 




4 1 93 natent at 3-26-79 




'193 natent at 9*1 3-19 




4 1 93 natent at 1 2*S-39 




"193 natent at 12*47-13-6 

1 7 J jJOL^lll fll 14." / I _> . \7 




4 193 natent at 13-54-14-28 




4 193 natent at 14-31-48 

i 7J Lsai&in ai it.ji- to 




4 193 natent at 16- 25-40 




4 193 natent at 17*46-56 




4 193 natent at 18*10-14 




4 193 natent at 18*61-64 




'193 natent at 22*1-14 




1 1-93 natent at 21*52-53' 23*51-24*14' 24*57-25*30 




'193 patent at 38:43-55 




'193 Datent at 45*19-27 




' 1 93 patent at 45:39-45 




'193 natent at 46' 5-8 




'193 Datent at 52*66-53*8 




* 1 93 patent at 53 * 1 3-22 




'193 patent at 53:33-37 




'193 Datent at 53*45-59 




'193 patent at 54:51-58 




'193 natent at 55*21-56-24 




'193 patent at 57:33-39 




'193 patent at 58:59-64 




'193 patent at 59:39-42 




'193 patent at 60:37^8 




4 193 patent at 62:27-42 




4 193 patent at 63:32-39 




4 193 patent at 64:48-51 
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4 193 patent at 65:8-14 






'193 patent at 67:31-52 






4 193 patent at 68:65-69:12 






4 193 patent at 74:51-53 






4 193 patent at 75:23-28 






4 193 patent at 75:65-76:32 






4 193 patent at 81:26-32 






4 193 patent at 83:53-63 






4 193 patent at 90:1-33 






4 193 patent at 90:38-46 






4 193 patent at 91:26-53 






4 193 natent at 96* 1 -7 






4 193 Datent at 96* 12-24 






4 193 Datent at 98-66-99*3 






'193 natent at 9Q-2R-35 






4 193 Datent at 101 54-102*61 






'193 natent at 104- ?9-37 






'193 Datent at 105-23-39 






'193 Datent at 1 1513-21 






'193 Datent at 1 15-26-29 






'193 Datent at 123-51-55 






4 193 natent at 130- 13-54 






'193 oatentat 133-39-134*23 






'193 Datent at 135*31-42 






'193 Datent at 153*53-156-47 






'193 natent at 161*7-162*65 






'193 Datent at 170-41-172-13 






'193 Datent at 172-61-177*53 






'193 oatent at 178*49-179-55 






'193 oatent at 214-59-67 






'193 oatent at 218-33-220-19 






'193 oatent at 220*53-67 






' 1 93 oatent at 222 -4-11 






'193 Datent at 225*22-226*36 






'193 oatent at 227*25-45 






' 1 93 patent at 23 1 :32-59 






'193 patent at 233:25-47 






'193 patent at 234:36-43 






'193 patent at 234:65-235:1 






'193 patent at 235:13-38 






'193 patent at 243:51-244:48 






'193 patent at 254:30-34 






'193 patent at 254:59-65 






'193 patent at 264:29-49 






'193 patent at 266:52-267:45 






'193 patent at 273:42-53 






'193 patent at 277:10-17 






'193 patent at 279:42-53 






'193 patent at 282:10-61 






'193 patent at 283:23-28 






4 193 patent at 283:56-284:42 






l 193 patent at 288:43-60 






4 193 patent at 289:14-27 






4 193 patent at 290:30-62 






4 193 patent at 313:33-41 






'193 patent at 313:58-67 






4 193 patent at 315:24-28 
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4 193 patent at 316:1-6 




1 93 patent at 3 1 6: 1 6-3 17:19 




4 193 patent, Figs. 1, 1A, 2, 2A, 3, 7, 8, 9, 9A, 10, 12, 13, 16, 19, 20, 21, 27, 28, 30, 31, 




35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78,- 79, 80, 81, 82, 83, 




84, 85,86, and 87 




See "Receiving a digital file" (193.1 1); Securely Receiving 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1508. 


a budget specifying the number of 


Patent Specifications 


copies which can be made of said 


193 patent at 48:29-35 


digital file 


4 l93 patent at 133:39-50 




\193 patent at 143:38-144:32 




193 patent at 162:39-65 




193 patent at 172:61-174:29 




193 patent at 220:20-40 




See Digital file versus a copy, below. 


controlling the copies made of 


Patent Specifications 


said digital file 


'193 patent at 48:29-35 




4 193 patent at 8 1:4- 12 




*193 patent at 102:26-40 




'193 patent at 133:39-134:23 




4 193 patent at 140:37-50 




'193 patent at 143:39-144:31 




4 193 patent at 172:18-48 




'193 patent at 172:61-174:29 




iso puicni at zuj.jo*d/ 




4 193 patent at 212:65-213:36 




4 193 patent at 229:45-232:3 




'193 patent at 235:39-236:25 




'193 patent at 263:46-264:4 




'193 patent at 279:42-60 




See Protected Processing Environment 


determining whether said digital 


Patent Specifications 


file may be copied and stored on a 


4 193 patent at 48:12-35 


second device based on at least 


4 193 patent at 102:26-40 


said copy control 


4 193 patent at 133:39-50 




4 193 patent at 220:20-40 




4 1 93 patent at 263:46-264:57 




4 193 patent at 265:9-38 




4 193 patent at 278:9-25 




4 193 patent at 279:42-60 




*193 patent at 316:16-317:19 




4 193 patent at 322:65-66 




4 193 patent at 323:4-7 




4 193 patent at 323:50-324:7 




4 193 patent at 325:32-35 


if said copy control allows at least 


Patent Specifications 


a portion of said digital file to be 


"193 patent at 48:12-35 


copied and stored on a second 


4 193 patent at 102:26-40 
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device 


'193 patent at 133:39-50 




* 193 patent at 220:20-40 




* 193 patent at 263:46-264:57 




'193 patent at 265:9-37 




* 193 patent at 278:9-25 




'193 patent at 279:42-60 




4 193 patent at 316:16-317:19 




'193 patent at 322:65-66 




'193 patent at 323:4-7 




'193 patent at 325:32-35 


copying at least a portion of said 


Patent SnwifipntirmQ 


digital file 


1 193 Datent at 48* 12-34 




'193 Datent at 133*39-50 




4 193 patent at 220:20-40 




* 193 Datent at 264*28-57 




4 193 patent at 278:9-25 




'193 oatent at 31616-31719 




'193 patent at 322:65-66 




' 193 patent at 323:4-7 




'193 patent at 325:32-35 


transferring at least a portion of 


Patent Snecifipjitinns 


said digital file to a second device 


'193 oatent at 38*4-9 




* 193 Datent at 48- 12-43 




'193 Datent at 65*24.58 




'193 oatent at 68*51-61 




'193 natent at 72*1-9 




'193 Datent at 133*39-50 




'193 oatent at 162*10-15 




'193 Datent at 167*41-43 




* 103 natent at 220*21-40 




' 1 93 Datent at 226* 11-16 




'193 natent at 237*34-47 




'193 natent at 252*51-58 




'193 patent at 264:28-57 




'193 patent at 278:9-25 




'193 patent at 316:16-317:19 




'193 patent at 322:65-66 




'193 patent at 323:4-7 




'193 patent at 324:8-37 




'193 patent at 325:32-40 




See "Storing information associated with said digital file in a secure database stored on 




said first device, said information including at least one control" (193.15) 


storing said digital file 


Patent Specifications 




'193 patent at 88:24-30 




'193 patent at 99:7-16 




'193 patent at 102:43-62 




'193 patent at 127:41-62 




'193 patent at 134:10-14 




4 193 patent at 153:50-154:16 




'193 patent at 229:45-231:31 




'193 patent at 289:5-8 




'193 patent at 289:14-19 



40 




Claim Term /Phrase 


InterTrust Evidence 




'193 patent at 289:65-66 


'193:11 




receiving a digital file 


Patent Specifications 
*193 patent at 52:66-53:8 
'193 patent at 55:39-56 
'193 patent at 60:37-48 
l 193 patent at 102:41-61 
'193 patent at 133:39-134:23 
'193 patent at 282:29-61 
'193 patent at 316:16-317:19 
'193 patent at 323:14-40 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1508. 
See "Receiving a digital file including music" ('193.1) 


detennining whether said digital 
file may be copied and stored on a 
second device based on said first 
control 


See "Determining whether said digital file may be copied and stored on a second 
device based on at least said copy control" ('193.1). 


identifying said second device 


Patent Specifications 
'193 patent at 42:8-20 
'193 patent at 47:49-57 
'193 patent at 81:4-11 
'193 patent at 203:58-67 
'193 patent at 212:65-213:36 
'193 patent at 230:22-27 
'193 patent at 279:42-60 

See Identify and Identifier 


whether said first control allows 
transfer of said copied file to said 
second device 


Patent Specifications 
'193 patent at 48:28-34 
'193 patent at 102:26-40 
* 1 93 patent at 263 :46-264 :49 
iyj patent at zco:y-.3o 
'193 patent at 279:42-60 
'193 patent at 316:16-317:19 

See "Determining whether said digital file may be copied and stored on a second 
device based on at least said copy control" ( ' 1 93 . 1 ) 


said determination based at least 
in part on the features present at 
me device 


Patent Specifications 
'193 patent at 42:8-20 
i yj patent at 4 1 My-j i 
'193 patent at 81:4-1 1 
'193 patent at 203:58-67 
'193 patent at 212:65-213:36 
'193 patent at 230:22-27 
'193 patent at 279:42-60 


if said first control allows at least 


Patent Specifications 
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a portion of said digital file to be 
copied and stored on a second 
device 


'193 patent at 48:28-35 
•193 patent at 102:26-40 
'193 patent at 263:46-264:57 
'193 patent at 265:9-38 
193 patent at 279:42-60 
'193 patent at 316:16-317:19 

See "If said copy control allows at least a portion of said digital file to be copied and 
stored on a second device" ('193.1). 


copying at least a portion of said 
digital file 


See "Copying at least a portion of said digital file" (* 193.1) 


transferring at least a portion of 
said digital file to a second device 


Patent Specifications 
'193 patent at 38:4-9 
'193 patent at 65:24-38 
*193 patent at 68:51-61 
'193 patent at 72:1-9 
'193 patent at 162:10-15 
'193 patent at 167:41-43 
'193 patent at 226:1 1-16 
4 193 patent at 237:34-47 
'193 patent at 252:51-58 
'193 patent at 324:8-37 
*193 patent at 325:32-40 

See "Transferring at least a portion of said digital file to a second device" (193.1); and 
"Storing information associated with said digital file in a secure database stored on 
said first device, said information including at least one control" (193.15) 


storing said digital file 


See "Storing said digital file" ( 4 193.1) 


'193:15 




receiving a digital file 


Patent Specifications 

*193 patent at 52:66-53:8 

'193 patent at 55:39-56 

'193 patent at 60:37-48 

'193 patent at 102:41-61 

'193 patent at 133:39-134:23 

'193 patent at 282:29-61 

'193 patent at 3 16: 16-3 17: 19 

See "Receiving a digital file" (193.1 1) 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1508. 


an authentication step comprising: 


Patent Soecifications 
'193 patent at 42:8-20 
'193 patent at 47:49-57 
'193 patent at 81:4-11 
'193 patent at 123:24-62 
'193 patent at 203:58-6? 
'193 patent at 212:66-213:36 
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i_iairn i cr in / r nrasc 


inicrirusi JLviucnce 




* 193 patent at 230:22-27 




'193 patent at 278:9-25 




'193 patent at 279:4 1-60 


accessing at least one identifier 


Patent Specifications 


associated with a first device or 


193 patent at 25:31-38 


with a user of said first device 


193 patent at 42:8-20 




193 patent at 47:49-57 




4 193 patent at 81:4-11 




'193 patent at 123:23-62 




'193 patent at 203:58-67 




' 1 93 patent at 2 1 2:65-2 13:36 




193 patent at 230:22-27 




* 193 patent at 278:9-25 




'193 patent at 279:4 1-60 




See Identifier 


determining whether said 


Patent Specifications 


identifier is associated with a 


'193 patent at 42:8-20 


device and/or user authorized to 


'193 patent at 47:49-57 


store said digital file 


'193 patent at 81:4-12 




'193 patent at 123:24-62 




'193 patent at 192:3-57 




' 1 93 patent at 203:58-67 




'193 patent at 212:65-213:36 




'193 patent at 230:22-27 




'193 patent at 278:9-25 




'193 patent at 279:42-60 


storing said digital file in a first 


Patent Specifications 


secure memory of said first 


, '193 patent at 42:8-20 


device, but only if said device 


'193 patent at 47:49-57 


and/or user is so authorized, but 


'193 patent at 81:4-12 


not proceeding with said storing if 


'193 patent at 123:24-62 


said device and/or user is not 


'193 patent at 192:3-57 


authorized 


'193 patent at 203:58-67 




l 193 patent at 212:65-213:36 




1 193 patent at 230:22-27 




'193 patent at 278:9-25 




'193 patent at 279:42-60 


storing information associated 


Patent Specifications 


with said digital file in a secure 


'193 patent at 19:15-32 


database stored on said first 


193 patent at 22:20-25 


device, said information including 


193 patent at 126:15-37 


at least one control 


'193 patent at 153:50-67 




4 193 patent at 156:53-58 




i ?j paieni at zyi.i y-*t / 


determining whether said digital 


See "Detenrrining whether said digital file may be copied and stored on a second 


file may be copied and stored on a 


device based on at least said copy control" ('193.1) and "Storing information " 


second device based on said at 


associated with said digital file in a secure database stored on said first device, said 


least one control 


information including at least one control" (193.15). 
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InterTrust Evidence 


if said at least one control allows 
at least a portion of said digital 
file to be copied and stored on a 
second device, 


Patent Specification 
'193 patent at 48:28-34 
'193 patent at 102:26-40 
'193 patent at 263:46-264:49 
'193 patent at 265:9-38 
*193 patent at 279:42-60 
'193 patent at 316:16-317:19 

See "If said first control allows at least a portion of said digital file to be copied and 
stored on a second device" ('193.1 1); "If said copy control allows at least a portion of 
said digital file to be copied and stored on a second device" (193.1); and "storing 
iiuuiiiiauuu aaauuaicu wim &diu uigiiai me in a secure QataDase sioreci on said tirst 
device, said information including at least one control" (193.15). 


copying at least a portion of said 
digital file 


See "Copying at least a portion of said digital file" ('193.1) and "Storing information 
associated with said digital file in a secure database stored on said first device, said 
information including at least one control" (193.15). 


transferring at least a portion of 
said digital file to a second device 


Patent Specifications 
'193 patent at 38:4-9 
'193 patent at 65:24-38 
'193 patent at 68:51-61 
'193 patent at 72:1-9 
'193 patent at 162:10-15 
'193 patent at 167:41-43 
'193 patent at 226:1 1-16 
'193 patent at 237:34-47 
'193 patent at 252:51-58 
iyj paiem ax jzh.o-j / 
'193 patent at 325:32-40 

See "Transferring at least a portion of said digital file to a second device" (193.1); and 
"Storing information associated with said digital file in a secure database stored on 
said first device, said information including at least one control" (193.15). 


storing said digital file 


See "Storing said digital file" ('193.1). 


'193:19 




receiving a digital file at a first 
device 


Patent Specifications 
'193 patent at 52:66-53:8 
'193 patent at 55:39-56 
'193 patent at 60:37-48 
'193 patent at 102:41-61 
'193 patent at 133:39-134:23 
'193 patent at 282:29-61 
4 1 93 natent at 3 1 6* 1 6-3 1 7* 1 Q 

See "Receiving a digital file" (193.1 1) 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1508. 


establishing communication 
between said first device and a 
clearinghouse located at a location 
remote from said first device 


Patent Specifications 
'193 patent at 1:46-52 
'193 patent at 1:60-63 
'193 patent at 3:25-29 
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* 1 93 natpnt at 0*13-17 




'193 mtent at 12-5-39 

patent ai ia.j*J7 




'193 natent at 12 -47- 13 -6 

17J patent ai li.t / *u.u 




'193 natent at 13*54-14*28 

patent ai i j.jt"1*t.ao 




4 193 natpnt at 14*31-48 




'193 natent at 16*25-40 

i ✓ J patent ai iu.ij**tv 




* 1 93 natpnt at 1 7*46-56 
I7J paicm ai 1 / .tU'Jv 




* 1 03 natpnt nt 18*10-14 




4 1Q3 nntpnt nt 18*60-64 
I7J pdlCul a I 10.0u"O*» 




*103 nntpnt nt 77- 1-1 A 
1 7j pdlcHl a I ZZ . 1 - i H 




'1 03 nntpnt at 71 • 57-51* 73- 5 1.74* Id* nnA 74**^7 7*s-1fl 
1 7J paicm ol .jZ-jj, ZJ.J 1*Z*t, l*r, allU Z*r. J / -i J.JU 




' 1 01 natpnt at 1ft -41 

1 7j paieni ai jo,*t>jj 




M01 nntpnt at 4^-1 0 7 A 
1 7J paicm al *f J . 1 y-zo 




1 1 01 natpnt at ^ CTtQ /I < 
iyj paicm al HD.jy-tj 




* 1 01 natA-nt at ,4 A-il C 

iy.? patent at *to.4-o 




4 1 01 -natprit at ^7-AA ^1-R 

i7j patent at jz.oo-jj.o 




' 1Q1 natpnt at ^1*1 1 77 

i7j patent at d j. Ij-zz 




* 1 01 r*atP«t at *^1-11 17 

i?j patent ai jj.jj-j / 




iy.5 paicm ai JJ.HJ-J7 




* 1 01 natftnf at 1 <9 

patent at dh.jioo 




1 1 01 natpnt at ^-7 1 *\A»74 

lyo. patent at jj.zioo.Zn 




*101 mato-nt of *\7*17 lO 

iyj patent at j /.^rooy 




iyj patent at do. jy-04 




4 101 nitATit ot <Q.10_*i7 

lyj patent at jy.oy-*+z 




iy^ patent at ou.o /-4o 




'101 nnt»nt at A7.07 47 

iyj patent at oz.z /-4z 




■101 Ttat^nt ot A1-17 10 

iyj patent at Oj.jz-jy 




* 1 Ol notant at A4 •>4Q < 1 

ty.? patent at o4.4yo j 




'101 notAnt at A*?>0 \A 

i7 j patent at oj.y-J4 




1 1 01 notont ot A7*1 1 *\7 

iy.5 patent at o 1,0 ioz 




• 1 01 notAtit at AC A< AO. 1 ") 

iyj patent at oo.oj-oy.iz 




* 1 01 notont at 7A*< 1 *\1 

iyj patent at /■h.di-jo 




4 1Q1 natpnt at 7*\-71 78 

iyj paicni at /j.Zj-zo 




4 103 nntpnt at 7*>-6^ 76-17 

j 7j paicni ai /j.vD'/o.jZ 




4 1 01 nntpnt at 81 -76 17 

i yj paieni ai o i .zooz 




' 1 01 nntpnt at 81-^1 Al 

lyj patent at oj.dj-Oj 




4 1 01 natpnt at OH* 1 78 

i7j paieni ai yu.i-zo 




' 1 01 natAmt at Oft. 1Q A A 

i zfo patent at yu.jy-40 




4 1 01 natpnt at 01 '7 A *\ 1 

iyo paieni ai y i .zo-j i 




4 1 01 nntpnt at OA* 1 7 

i paicm ai yo. 1 - / 




* 1 93 natpnt at 06* 1 7-76 
i ?J paicm ai yo. 1 z-zo 




4 1 93 natpnt at 08-66.00*1 

I7J palCUL at 70.UU-77.J 




4 1 03 natpnt at QQ*78-1 5 
i y j paicni ai yy.zo-jj 




* 1 03 natpnt at 1 01 *54 107-57 
i yj paicni ai iui . j*t- 1 uz . jz 




*193 natpnt nt 104*70-37 




4 193 natpnt nt 105-75-30 
i"j paicni ai ivj.zj-jy 




* 1 93 natpnt nt 115*1 3.7 1 
i yj paicni ai 1 1 j. jo~z i 




* 1 93 natpnt nt 1 1 5*75.70 
iyj paicni ai 1 1 j.zj-z? 




4 1 03 natpnt at 1 71-51 5*^ 

i ~ j paicni ai izj-ji-jj 




4 1 03 natpnt at 1 1 1 *45 *^7 

i"j patent at iji.**j-jz 




* 193 patent at 135:16-24 




4 193 patent at 135:31-42 




M93 patent at 153:53-156:47 




'193 patent at 160:65-162:65 




'193 patent at 170:42-172:13 




'193 patent at 172:61-177:53 




M93 patent at 178:49-179:55 
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193 patent at 214:59-67 




* i no 11 o.n iin.in 

193 patent at 21 o:33-220: 19 




193 patent at 220:53-67 




m no „* 111. y| 1 1 

193 patent at 222:4-1 1 




193 patent at 225:22-226:36 




* i no in. if yi c 

193 patent at 227:25-45 




193 patent at 23 1 :32-59 




m no a. * _ A 111.1C A ~1 

1 93 patent at 233 : 25-4 7 




* i no —a iiit.i^ jii 

193 patent at 234:36-43 




193 patent at 234:64-235:1 




1 1 AO 4. ^ 11 £ . 1 1 1 O 

193 patent at 235:13-38 




* i m ^ a ,4.iJii^iij*j4jio 

193 patent at 243:51-244:48 




193 patent at 254:30-34 




193 patent at 254:59-65 




4 193 patent at 264:26-49 




193 patent at 266:51-267:45 




* 1 93 patent at 273 :42-53 




'193 patent at 277:9-17 




193 patent at 279:42-53 




193 patent at 282:11-28 




193 patent at 282:45-61 




1 93 patent at 283 :24-28 




'193 patent at 283:56-284:43 




' 1 93 patent at 288:43-60 




193 patent at 289:14-27 




4 1 93 patent at 290:30-62 




1 93 patent at 292 : 1 9-47 




'193 patent at 313:33-41 




'193 patent at 313:58-67' 




'193 patent at 315:24-28 . * 




'193 patent at 316:1-6 




'193 patent at 316:16-317:19 




'193 patent, Figs. 1, 1A, 2, 2A, 3, 7, 8, 9, 9A, 10, 12, 13, 16, 19, 20, 21, 27, 28, 30, 31, 




35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 




84, 85, 86, and 87 


using said authorization 


Patent Specifications 


information to gain access to or 


'193 patent at 128:66-129:26 


make at least one use of said first 


'193 patent at 148:50-149:7 


digital file 


'193 patent at 151:64-152:9 


_ — — — — — 


'193 patent at 215:24-32 

. . : 


receiving a first control from said 


Patent Specifications 


clearinghouse at said first device 


193 patent at l:4o-52 




193 patent at 1:60-2:3 




(iqi .« 1.1/c in 

193 patent at 3:26-29 




* i no ~+ n. i o i a 

1 93 patent at 9: 1 3- 1 o 




1 1 no — * ii. c n 

193 patent at 12:5-9 




MQ7 nntpnt at 1 7-47-1 Vfi 




'193 patent at 13:54-14:28 




'193 patent at 14:31-48 




'193 patent at 16:25-40 




'193 patent at 17:46-56 




'193 patent at 18:10-14 




'193 patent at 18:60-64 
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4 193 patent at 22:1-14 




'193 patent at 21:52-53; 23:51-24:14; and 24:57-25:30 




'193 patent at 38:43-55 




'193 patent at 45:19-27 




4 193 patent at 45:39-45 




' 193 patent at 46:4-8 




'193 patent at 52:66-53: 8 




' 1 93 patent at 53 : 1 2-22 




'193 Datent at 53*33-37 




'193 Datent at 53*45-59 




*193 Datent at 54-51-58 




*193 natent at 55*21-56*24 




*193 natent at 57*33-39 




*193 natent at 58*50-64 

17J 17dl&lll Hi U7 




' 1 93 natent at 59*39-42 

17 J jJalCIll dl J7.J7^f 




*193 natent at 60*37-48 




M93 natent at 62*27-42 




M93 natpnt at 63*^2-39 




*1 natpnt at 64*4R-S1 

17 J jJaiCill al "J*t .*to-J 1 




*1 0^ natent at 6*vR- 14 

17J jjdicill al UJ.O it 




* 1 93 natpnt at 67*^ 1 -S7 

17 J jJdlwill al \j f ,j l -J 




M93 natent at 68*65-69-12 

17-j uaicui ai uOiw U7. 




4 1 natpnt at 74 "5 1 -S^ 
17J jjdLGLll al 




* 1 93 natent at 75 -23-28 

17J JJd It'll t Al /*7.^_s A>Q 




*193 natent at 75*65-76*32 

1 7-7 Lid it'll i al f *J . \J*J / \j . -J 4. 




'103 natpnt at R1 ^n-^? 
1 7J jjdiciit al o x ,i.u*ji 




1 1 93 natent at 83*53-63 

u j jJdicui at OJ,JJ"UJ 




* 1 91 natpnt at QO* 1 -2R 

1 7 J pdlt-lll al 7U, l*iu 




'lOl natent at 90-1R-46 
17J jjdi*wiii al 7v..j o-^tu 




* 193 natent at 91 -26-51 

1 7 -7 JJdlClll dl 71 .^L - - J 1 




'191 natent at 96* 1 -7 

1 7-J pdlvlll dl 7vJ. 1 / 




* 1 93 natent at 96* 1 2-24 

17 J L'dlt'llL dl 7Ui 1* it 




4 193 natent at 98 -66-99 3 

17J Udlt'lll dl 70.UU *77.J 




'193 natent at 99*28-35 




'193 natent at 101*54-1 02*51 




'193 natent at 104*29-37 




'193 natent at 105*23-39 

17 J LJdlVlll dl lUJi&J J7 




4 1 93 natent at 115*13-21 

1 7 mi LJdlWlil dl 1 la/i 1 J A. 1 




*193 natent at 1 15*25-29 

17 J 17 d I til I dl 1 !J,m-tJ 4,7 




*193 natent at 123*51-55 




'193 natent at 131*45-52 




'193 natent at 135*16-24 




'193 Datent at 135-31-42 




•193 oatentat 153*53-156-47 




'193 patent at 160:65-162:65 




'193 patent at 170*42-172*13 




'193 natent at 172*61-177*53 




'193 patent at 178*49-179*55 




'193 Datent at 214*57-67 




'193 oatentat 218*31-220 19 




'193 patent at 220:53-67 




'193 patent at 222:4-11 




' 1 93 patent at 225:22-226:26 




'193 patent at 227:25-45 




'193 patent at 231:32-59 




'193 patent at 233:25-47. 




'193 patent at 234:36-43 
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* 193 natent at 234-64-235*1 




'193 natent at 235- 13-38 




'193 natent at 243*51-244*48 




'193 natent at 254*30-34 




'193 patent at 254:59-65 




4 1 93 patent at 264:29-49 




'193 Datent at 266*51-267-45 




* 193 natent at 273*42-53 




'193 natent at 277*9-18 




'193 natent at 279*42-53 




1 193 natent at 282*1 1-28 

i / J L/ai&iii ai ^ox .11 — 




'193 natent at 28? -4 5-61 

I7J £jaiGiii ai 40i>>*tJ"Ui 




"193 natent at 283*23-28 




"193 natent at 283-56-284*42 




'lO'l natp-nt at 9RSZ'4.^-^n 
palCUl al ioO.*tj-OU 




* 1 93 natent at 289* 1 4-27 

1 7 J uaiwlll ol Xu7> 1 *r— X f 




'193 natent at 2Q0 -^0-6? 




* 1 03 natent at JQJ • 1 0-d7 




'IQl nntpnt nt 31 
iyj pdlcni al jI j.jj-nl 




'193 patent at 313:58-67 




4 193 patent at 315:24-28 




'193 patent at 316:1-6 




'193 patent at 316:16-317:19 




'193 patent, Figs. 1, 1A, 2, 2 A, 3, 7, 8, 9, 9 A, 10, 12, 13, 16, 19, 20, 21, 27, 28, 30, 31, 




35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 




84 85 86 and 87 

U~j Omly OVJ, ai m Of 




See "Receiving a digital file" (193.1 1). 


storing said fust digital file in a 


See "Storing said digital file" ('193.1) 


memory of said first device 




using said first control to 


See "Determining whether said digital file may be copied and stored on a second 


determine whether said first 


device based on at least said copy control" ( 4 193.1). 


digital file may be copied and 


stored on a second device 




if said first control allows at least 


Patent Specifications 


a portion of said first digital file to 


'193 patent at 48:28-35 


be cooied and stored on a second 


'193 natent at 102*26-40 


device 


'193 patent at 263:46-264:57 




'193 natent at 265*9-38 




l 193 natent at 279*42-60 




'193 patent at 316:16-317:19 




See "If said first control allows at least a portion of said digital file to be copied and 




stored on a second device" ('193.1 1). 


copying at least a portion of said 


See "Copying at least a portion of said digital file" ('193.1). 


first digital file 




transferring at least a portion of 


Patent Specifications 


said first digital file to a second 


'193 patent at 38:4-9 


device including a memory and an 


* 193 patent at 65:24-38 


audio and/or video output 


4 193 patent at 68:51-61 




'193 patent at 72:1-9 




'193 patent at 162:10-15 




'193 patent at 167:41-43 
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4 193 patent at 226:11-16 




'193 patent at 237:34-47 




'193 patent at 252:51-58 




'193 patent at 324:8-37 




4 193 patent at 325:32-40 




See Transferring at least a portion of said digital file to a second device (193.1); and 




"Storing information associated with said digital file in a secure database stored on 




said first device, said information including at least one control" (193.15) 


storing said first digital file 


See "Storing said digital file" ('193.1) 


portion 




'683:2 




the first secure container having 


Patent Specifications 


been received from a second 


'683 patent at 15:56-16:4 


apparatus 


4 193 patent at 102:41-51 


an aspect of access to or use of 


Patent Specifications 




'683 patent at 24:33-39 




'683 patent at 25:62-26:10 




4 193 patent at 15:46-50 




'193 patent at 58:38-46 




4 193 patent at 159:23-26 




'193 patent at 128:42-45 


the first secure container rule 


Patent Specifications 


having been received from a third 


'683 patent at 24:33-39 


apparatus different from said 


'683 patent at 25:62-67 


second apparatus 






'193 patent at 15:46-50 




'193 patent at 54:24-38 




4 193 patent at 58:38-46 




'193 patent at 128:42-45 




193 patent at 159:23-26 




See "First secure container having been received from a second apparatus" (683.2). 


hardware or software used for 


Patent Specifications 


receiving and opening secure 


'683 patent at 5:30-38 


containers 


'683 patent at 6:52-56 




'683 patent at 8:50-52 




'683 patent at 10:12-15 




'683 patent at 10:27-35 




'683 patent at 10:55-11:14 




'683 patent at 11:40-52 




'683 patent at 11:65-56 




'683 patent at 11:59-64 




'683 patent at 12:27-51 




'683 patent at 13:3-6 




'683 patent at 13:15-17 




'683 patent at 13:43-47 




'683 patent at 14:10-14 




'683 patent at 14:18-27 
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'683 patent at 14:58 




'683 patent at 14:64-65 




'683 patent at 15:35-45 




'683 patent at 15:56-16:4 




'683 patent at 16:25-28 




'683 patent at 16:58-20:66 




'683 patent at 24:46-25:26 




'683 patent at 29:50-30:16 




'683 patent at 30:30-35:43 




'683 patent at 36:1-37:42 




'683 patent at 38:56-39:39 




'683 patent at 39:66-43:20 




'683 patent at 47:34-42 




'683 patent at 49:31-39 




'683 patent at 61:7-11 




'683 patent at 62:8-62 




'683 patent, Figs. 7, 8, 9, 9 A, 9B, 10, 12, 13, 35, 36 




'193 patent at 1:46-55 




'193 patent at 1:60-63 




'193 patent at 3:26-29 




'193 patent at 9:13-17 




'193 patent at 12:5-39 




'193 patent at 12:47-13:6 




'193 patent at 13:54-14:28 




'193 patent at 14:31-48 




'193 patent at 1 6:25-40 




'193 patent at 17:46-56 




'193 patent at 18:10-14 




'193 patent at 1 8:60-64 




'193 patent at 22:1-14 




' 1 93 patent at 2 1 :52-53; 23:5 1 -24: 14; 24:57-25:30 




'193 patent at 38:46-55 




'193 patent at 45:19-27 




'193 patent at 45:39-45 




'193 patent at 46:4-8 




'193 patent at 52:66-53:8 




'193 patent at 53:13-22 




'193 patent at 53:33-37 




'193 patent at 53:45-59 




'193 patent at 54:51-58 




'193 patent at 55:21-56:24 




'193 patent at 57:33-39 




'193 patent at 58:59-64 




'193 patent at 59:39-42 




'193 patent at 60:37-48 




'193 patent at 62:27-42 




'193 patent at 63:32-39 




'193 patent at 64:48-51 




'193 patent at 65:8-14 




'193 patent at 67:31-52 




'193 patent at 68:65-69:12 




'193 patent at 74:51-53 




'193 patent at 75:23-28 




'193 patent at 75:65-76:32 




'193 patent at 81:26-32 




4 193 patent at 83:52-63 
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1 1 07 natfvni at QC\'1Q-A& 




i 7j patent at y i .zo- j 1 




1 1 Q7 r»at-rit at OA* 1 "7 

1 yj pateni ax yo. i - / 




1 1 97 nntpnf at OA* 1 0 04 




i73 paicm ai yo.oo-yy.j 




*1 07 nntpnt at OQ-^S 7C 

17 J pdlcm ai 77.£,0'J>J 




i7 j patent ai iui.j*f-iuz.jl 




ty.3 patent at iiw.z9-3 / 




* 1 07 Tvstorit at 1ft<*17 70 

. i7 d patent at 1Uj.Z3-39 




1 1 07 notont „* 1 11 

i 7j patent at 1 1 j: 1 3-2 1 




* 1 07 nifant at 1 1 C.TC TO 

lyo pateni at 1 1 j:Z5-29 




* 1 07 natont »t117.<1<f 

i7j patent at iZ3:5i-55 




193 patent at 135:31-42 




193 patent at 133:53-156:47 




193 patent at lol: 7-1 62:65 




i7 j patent at i /u:42-l 72:13 




1 1 OO *«n+A« + «« 1 "71.^ 1 1*7"! f 1 

193 patent at 1 /2:61-1 77:53 




193 patent at 178:49-179:55 




* 1 O^ «%n4-A«*4- 11 A .CI £"1 

i 93 patent at 2 14:57-67 




* 1 07 -a 1 1 O.I 1 11 A 1A 

193 patent at 218:31-219:19 




*1O0 nn .4 11A.fi £1 

193 patent at 220:53-67 




1 1 OO ▲ 111./* 11 

193 patent at 222:4-1 1 




* 1 GO Mn+A«+ 11f .11 11^ 1^" 

193 patent at 225:22-226:36 




193 patent at 227:25-45 




* 1 OO _* i o 1 .11 en 

1 93 patent at 23 1 : 32-59 




* 1 OO nn+n«4 111. If /* "7 

193 patent at 233:25-47 




* 1 OO .»* 11 /I . i ^ >i i 

193 patent at 234:36-43 




' 1 OO wn+n«4 11/1.^/1 Hfl 

193 patent at 234:64-235:1 




* 1 OO ~* 11C. 1 A 

1 93 patent at 235:14-38 




* 1 OO «h4am4 »» * 1 ./< 1 . f 1 1j*jf j»0 

193 patent at 243:51-244:48 




* 1 OO *.* If vt.1/\ 1 jI 

193 patent at 254:30-34 




* 1 OO «n*an* .« If yl.fft Z!f 

193 patent at 254:59-65 




193 patent at 264:29-49 




* 1 07 nn^anf n + 1iCiC.f1 1^1 AC 

193 patent at 2oo:5 1-267:45 




4 1 07 nn4an( n+ T7 0 . /II fl 

iy3 patent at 2 /3:42-53 




* 1 07 rtlfan« nf 1T7.ft 1*7 

iy3 patent at 2 / /:9-l / 




* 1 07 notanl »»♦ ITO,. yl 1 fl 

i yj patent at 2 /9:42-53 


- 


4 1 07 niiamf n + 101.1 1 TO 

iyo patent at 2o2:l l-2o 




1 1 07 nafAnt at 1C1'/1< £1 

iy3 patent at zoz. 45-01 




'107 natont of ICO. 11 10 

iyo patent at Zo3:Z3-2o 




1 1 07 notATit of 1Q0<<£ 10/1. /II 

tyj patent at 283: 5 0-2 &4:42 




* 1 07 natAnt of 1QCM0 <A, 

iyj patent at zoo:43-ou 




4 1 07 nntpnt at *)CO-1/l 07 
1 7J palcul at Z07 . 1 ^-Z / 




*193 natent at OQO^O-fi? 




' 1 9^ nfltpnf at 717-77 A\ 




'193 patent at 313:58-67 




'193 patent at 315:25-29 




1 1 07 natomt of 7K.1 £ 

1 7 j patent at 3 1 o. l -o 




* 1 93 natenr at 7 1 fvfi'?-^ 




'193 patent. Figs. 1, 1A»2, 2A, 3 7 8 9 9A 10 12 13 16 19 20 1\ 71 ?R 70 71 




35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 




84, 85, 86, and 87 




File Histories 




'683 File History, 1 1/12/99 Office Action, pp. 4-5 (citing USP 5,412,717); see also 




USP 5,412,717 at 4:45-62; 7:49-56; 8:7-24; and 9:64-66. 
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Claim Term / Phrase 


InterTrust Evidence 




See Protected Processing Environment and Host Processing Environment 


said secure containers each 


Patent Specifications 


including the capacity to contain a 


'683 patent at 15:56-16:4 


governed item, a secure container 


'683 patent at 25:62-26:10 


rule being associated with each of 




said secure containers 


4 193 patent at 19:15-32 




4 193 patent at 22:20-25 




'193 patent at 292:27-37 

- 


nrotected nrocessine environment 


See Protected Prnrec«ino Pnvirrmm^Tit 


at least in part protecting 




information contained in <;aid 




nrotected nrocessinc environment 




from tampering by a user of said 




first annaratus 




hardware or software used for 


Patent Specifications 


applying said first secure 


683 patent at 8:38-46 


container rule and a second secure 


Oo 3 patent at 1 1 :40-52 


container rule in combination to at 


683 patent at 1 1:55-56 


least in part govern at least one 


oo 5 patent at I l:!>y-o4 


aspect of access to or use of a 


055 patent at 13:46-47 


governed item contained in a 


*iCOO 1 A. CO 

ooi patent at 14:58 


secure container 


083 patent at 16:25-28 




683 patent at 16:58-62 




683 patent at 20:13-23 




053 patent at 24:26-33 




683 patent at 25:62-26:10 




683 patent at 29:50-30:3 




683 patent at 30:40-65 




'683 patent at 3 1:28-55 




'683 patent at 32:7-36 




oo3 patent at 32:59-33:37 




083 patent at 34:5-13 




055 patent at 35:44-67 




083 patent at 36:13-40 




oo5 patent at 37:14-42 




iy5 patent at iy:63-zu: / 




'193 patent at 54:39-50 




'193 patent at 55:33-56 




paient at i4y;Z4-43 




i7j paiem ai ^*iz.j*t-oi 




'193 patent at 242:64-243:9 




'193 patent at 243:59-62 




'193 patent at 253:9-63 




File Histories 




'683 File History, 1 1/12/99 Office Action, pp. 4-5 (citing USP 5,412,717 at 10:8-39 




and 17:40-61). 




See Protected Processing Environment and Host Processing Environment 


hardware or software used for 


Patent Specifications 
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Claim Term / Phrase 


InterTrust Evidence 


transmission of secure containers 


'683 natent at 5*30-40 


to other apparatuses or for the 


* 683 natent at 6*52-56 


receipt of secure containers from 


4 683 natent at 8*50-52 


other apparatuses. 


'683 natent at 1 0* 1 2-1 5 




'683 Datent at 10*27-35 




'683 natent at 10*55-1 1*14 




'683 natent at 1 1*40-51 




'683 natent at 1 1*55-56 




*6R3 natent at 1 1 -5Q.A4 




4 683 natent at 1 2-27-51 




'6R3 natpnt at 1 7-7-A 




*6R3 natent at 1 7* 1 4 1 A 




*6R3 natpnt at 1 l-A'X-Al 
uoj pdicm ai u.*o-*t / 




*AR^ natpnt at 14*1 1 77 
OOj palCUL al l*t.l 1-ZZ 




*AR^ natpnt at 14-^fi Afi 
00 j palCDl a I l*r. jo-OU 




*AR*^ natpnt at 1,4*A4 A^\ 
UOj pdicm.al l*T.D*f-OJ 




*AR^ natpnt at 1 ^* 1 A-1 7 
UOJ palCUl al 1 J. 10-1 / 




'AR3 natpnt at 1 ^*7A_77 
ooj pdicm al Ij.ZO-Z/ 




*AR3 natpnt at 1 ^*7^-d^ 
UOj pdicm al 1 




'/^S^ natpnt at 1 <*^A 1 A«;l 

doj paicm ai ij.jo-io.h 




*AR3 natpnt at 1 A*7^ 9ft 
OOJ pdicm al 1 O.Z j-Zo 




*AR^ natpnt at 1 A«^B 7fV^1 
OOJ) palcni at IO.Jo-ZU.jI 




*AR3 natpnt at 74*a\A_7^*7A 
UOJ pdlcni al Z*f.nO-ZJ.ZO 




*AR3 natpnt at 70* ^fl 1C\- 1 A 
UOJ pdlCQl dl 10 




'AR3 natpnt at in-^n-l^-^^ 
UOj pdicm al ju.jU-jj.4j 




'AR^ natpnt at "*A* 1 77-.A7 
Ooj palCDl al jO.I-j / 




'683 patent at 38:56-39:39 




'683 patent at 39:65-43:20 




'AR^ natent at ALIA A"l 
OOj pdlCDl al H /.j*f-*| , Z 




*AR3 natpnt at 40-^1 * 

UOJ pdlCIll dl *f7.ji*j7 




*AR^ natent at Al -7 11 
uoj pdicm al 0 1 . /-I 1 




'AR^ natpnt at A7-Q A7 




*AR^ natpnt Fmc 7 ft 0 OA OP 1fi 17 11 1< 1/; 

ooj pdicm, rigs. /, o, y, yJ\, Vis, 1U, IZ, 1 j, jj, 30 




*1Q3 natpnt at 1 *4A ^7 
1 yj JJdlCill al 1 .*tO-jZ 




4 1 natpnt at 1 ■ AH Al 
1 7 J pdlCDl at l.Ov-Oj 




* 1 Q3 natpnt at V7 A 70 
i y j uaiciii ai j.zo-z*t 




* 1 03 natpnt at 0* 1 \ 17 
i y j patent ai 7. 1 J-l / 


- 


'193 natpnt at 17-S-3Q 

I7J jJaLCllL ai 1Z.J-J7 




'193 natent at 12*47-13-6 




* 193 natent at 13*54-14*28 




'193 natent at 14-31-4R 

i ? j patent a i it,j i "*to 




*193 natent at 1 A- 7 5-40 
i 7 j jjaici.iL at lU.iJ - tu 




'193 natent at 17-46-5 A 

i7j patent ai i / ."tu ju 




4 1 93 natent at 18*10-14 

ksJ patb>lll at 1Q.1V 1*T 




'193 natent at 18*60-64 




* 1Q3 natent at 22*1-14 




'193 natent at 21 -52-53- 23-51-74-14- 74-57 7S-^n 

17J paiwm ai Ai.Jii-jj, ij, j l-Z*t. l*t, Z*t. J / -Z J. jU 




'193 natent at 38-43-55 

J patent ai jo»~J JJ 




* 193 natent at 45-19-27 

i ✓ ^ patent at "t j . i y & I 




'193 patent at 45:39-45 




'193 patent at 46:4-8 




'193 patent at 52:66-53:8 




'193 patent at 53:13-22 




'193 patent at 53:33-37 




'193 patent at 53:45-59 




'193 patent at 54:51-58 
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Claim Term / Phrase 


InterTrust Evidence 




'1 01 natpnt nt >7 1 ^fx-lA 




*101 natpnt nt S7-77.7Q 
iyj paicni al j / .jj-jy 




*101 natpnt nt ^&*SQ-£4 




'101 natpnt nt S O'lQ-a 1 ! 
iyj paicm ai jy.oy~m 




4 1 01 natpnt nt nYV77_4fi 
l?j palCOl al OU.j /-*ro 




4 1 01 natpnt nt 67*77-4') 




*101 natpnt nt 67*77 70 
17j paicm al Oj.jZ-j7 




MO: natpnt nt /vd-AR ^1 
17j palCUl al 0*f.n>o0i 




MO^ natont it ACQ 14 

170 patent al OD.o-14 




*1 Ql natpnt at A7* 7 1 *»7 

1 7 j patent ax o / . j i 




170 paieni ax 0o.05-oy.i2 




lyj patent at /4. 51-53 




*107 noW at 7*5.17 "5C 

170 patent at 0.23-20 




'107 nnfont at "7<-A^ TrfCa^ 

iyj patent at /5.05-/o:32 




l patent at 5 1 :2o-32 




lyi patent at o3:53-o3 




'107 nntant a* OA. 1 TO 

i ?3 patent at yu: 1 -20 




'10*2 **a+a*i« n* OA.IA >1 ^ 

i?3 patent at yo:3y-4o 




I y3 patent at y 1 :2o-5 1 




l y 3 patent at y o: 1 -7 




* 1 07 -nictMi A£. 1 1 1f| 

iy3 patent at yo: 12-20 




iy3 patent at yo:oo-yy:3 




'107 -tntant a* AO.IO 1C 

iy3 patent at yy:2o-35 




iy3 patent at 101:54-102:51 




iy3 patent at 104:2y-37 




* 1 — a+a*** a + 1 AC. 11 1A 

iy3 patent at 105:23-39 




' 1 07 **n+A**4> a* 1 1 C 1 1 11 

iy3 patent at 1 15:13-21 




* 1 Q7 _ n t._4 1 1 C.1C OA 

iy3 patent at 1 15:25-29 




* 1 Q7 *«A*A**+ nt in.Ct'ff 

iy3 patent at 123:51-55 




i y3 patent at 1 35 :3 1 -42 




iy3 patent at l53:53-15o:47 




i y3 patent at l o 1 : /- 1 o2 :o5 




iy3 patent at 1/0:42-172:13 




• 1 fti _ _ —a i"7i.£i in. ci 

iy3 patent at 172:61-177:53 




MQl nA4 AV i* n « 1 "JO . v* A 1 *7A. C C 

iy3 patent at 17o:4y- 179:55 




iyi patent at 214:5 /-o/ 




* 1 G7 nn»A««- n* 11 O.I 1 11A. 1 A 

l y 3 patent at 2 1 o:3 1 -220: 1 9 




* 1 G7 nn+An+ n « 11A.C1 /C7 

iy3 patent at 220:53-67 




*1Q7 no tort t nt 001. /I 1 1 

i7j patent at 222:4-1 1 




iyj patent at 225.22-220.30 




'107 rtQfpnt at OOT-OC A C 

i7j patent at 22 / . 25-45 




* 1 07 natpnt at 01 1 •1') CO 

i y j patent at 23 1 .32oy 




1 70 patent at ^35.25-4 / 




* 1 01 natpnt at 774*7A_47 
17J paicm at Zj^.j0-4j 




'101 natpnt at IIA'fiA 97^*1 

I7j pa lent at zj , H.o*t-2jj. l 




4 1 01 natpnt at 77^* 14 7fi 

i7j paieni at zjj.h-jo 




4 101 natpnt nt 747-*. 1 7 c . c i-dfc 
1 7 J palCUl al ZH J . J 1 -/Jj.HO 




* 1 01 natpnt nt 7 *\4 • 7fi 7a 
l7-> paLcni al Zjf.JU-Jn 




1 1 01 natpnt nt ~>$<\ $Q 
i7j paicni at Z55.5y-0j 




* 1 01 nntpnt at O^-IQ^lO 
1TO paieni at Z0n.zy-n7 




'193 patent at 266:5 1-267:45 




4 193 patent at 273:42-53 




'193 patent at 277:10-17 




4 193 patent at 279:42-53 




'193 patent at 282:1 1-28 




'193 patent at 282:45-61 




'193 patent at 283:23-28 
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Claim Term / Phrase 


InterTrust Evidence 




4 193 patent at 283:56-284:42 




'193 patent at 288:43-60 




'193 patent at 289:14-27 




'193 patent at 290:30-62 




'193 patent at 313:33-41 




'193 patent at 313:58-67 




'193 patent at 315:25-29 




'193 patent at 316:1-6 




'193 patent at 316:62-65 




'193 patent, Figs. 1, 1A, 2, 2A, 3, 7, 8, 9, 9 A, 10, 12, 13, 16, 19, 20, 21, 27, 28, 30, 31, 




35, 36, 37, 38, 41a, 41b, 41c, 41o\ 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 




84, 85, 86, and 87 




File Histories 




'683 File History, 1 1/12/99 Office Action, pp. 4-5 (citing USP 5,412,717); see also 




USP 5,412,717 at 1:18-24; 4:58-69. 




See Protected Processing Environment and Host Processing Environment 


4 721:1 




dieitallv sipning a first load 


Patent Specification** 


module with a first digital 


'721 patent at 4:61-5:5 


signature designating the first load 


'721 patent at 6:16-62 


module for use by a first device 


'721 patent at 7:66-8:6 


class 


'721 patent at 16:37-17:23 




'721 patent at 18:19-39 




'721 patent at 19:11-32 




'721 patent at 20: 1-4 


digitally siffninp a second load 


Pofpnt Snf*ptfiraHfiriQ 

a alvih u|ivviiii>a nulla 


TTifiHtile with a second dicHtal 


'721 natent at 4*61 -5 -9 


signature difTerent from the first 


'721 Datent at 6*16-64 


digital signature the second 


'721 natent at 7 *62-8 6 


digital signature designating the 


'721 natent at 16-37-17-23 


second load module for use by a 


'721 patent at 17:41-18:2 


second device class having at least 


'721 patent at 18:19-20:4 


one of tamper resistance and 




security level different from the at 




least one of tamper resistance and 




security level of the first device 




class 




distributing the first load module 


Patent Specifications 


for use by at least one device in 


'721 patent at 4:61-5:5 


the first device class 


'721 patent at 6: 16-62 




'721 patent at 7:66-8:6 




'721 patent at 16:37-17:23 




'721 patent at 18:3-38 




'721 patent at 19:11-32 




'721 patent at 19:51-67 




'721 patent at 20:1-4 




'721 patent at 20:58-21:7 


distributing the second load 


Patent Specifications 


module for use by at least one 


'721 patent at 4:61-5:5 


device in the second device class 


'721 patent at 6:16-62 
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i~iaim lerm / rnrase 


inter i rust Evidence 


device in the second device class 


721 patent at 7:66-8:6 




721 patent at 16:37-17:23 




721 patent at 18:3-38 




721 patent at 19:11-32 




721 patent at 19:51-67 




721 patent at 20:1-4 




721 patent at 20:58-21:7 


721:34 




arrangement within the first 


Patent Specifications 


tamper resistant barrier 


721 patent at 4:61-5:9 




721 patent at 6:5-7:7 




721 patent at 7:62-8:6 




721 patent at 16:37-17:23 




721 patent at 17:41-18:2 




721 patent at 18:19-39 




721 patent at 19:11-20:25 


prevents the first secure execution 


Patent SDecificatinnc 


space from executing the same 


721 patent at 4:61-5:9 


executable accessed by a second 


721 patent at 6:5-7:7 


secure execution space having a 


721 patent at 7:62-8:6 


second tamper resistant barrier 


721 Patent at 16:37-17:23 


with a second security level 


721 patent at 17:41-18:2 


different from the first security 


721 Patent at 18:19-39 


level 


721 patent at 19:11-20:25 


861:58 




creating a fh^t "secure container 


Patent Specifications 




'861 patent at 3:3-4 




'861 patent at 3:39-43 




'861 patent at 6:29-32 




'861 patent at 10:7-10 




'861 patent at 11:48-58 




'861 patent at 16:32-35 




See Secure Container 


including or addressing . . . 


Patent Specifications 


organization information . . . 


'861 patent at 5:57-6:7 


desired organization of a content 


'861 patent at 10:38-53 


section. . . and metadata 


'861 patent at 14:14-29 


information at least in part 


'861 patent at 15:21-31 


specifying at least one step 


'861 patent at 17:49-53 


reouireri or HpcireH in prpatinn nf 




said first secure container 




at least in part determine specific 


Patent Specifications 


information required to be 


'861 patent at 10:49-61 


included in said first secure 


'861 patent at 15:21-31 


container contents 


'861 patent at 28:26-28 




'193 patent at 69:66-70:1 




'193 patent at 71:19-20 




'193 patent at 230:30-34 
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Claim Term / Phrase 


InterTrust Evidence 






rule designed to control at least 


Patent Specifications 


one aspect of access to or use of at 


'861 patent at 15:21-31 


least a portion of said first secure 


'861 patent at 17:49-53 


container contents 








resource processed in a secure 


Patent Specifications 


operating environment at a first 


4 193 patent at 83:44-48 


appliance 






See Protected Processing Environment 


securely receiving a first entity's 


Patent Specifications 


control at said first appliance 


'193 patent at 55:52-54 




'193 patent at 57:27-36 




'193 patent at 60:37-48 




'193 patent at 62:32-39 




'193 patent at 67:21-52 




'193 patent at 68:65-69:12 




'193 patent at 75:65-76:1 




'193 patent at 76:10-32 




'193 patent at 77:30-44 




'193 patent at 81:26-32 




'193 patent at 83:53-84:7 




'193 patent at 91:38-51 




'193 patent at 96:1-6 




'193 patent at 96:12-17 




'193 patent at 101:54-102:25 




'193 patent at 102:41-51 




'193 patent at 104:29-37 




'193 patent at 118:64-119:43 




'193 patent at 123:22-28 




'193 patent at 123:51-56 




'193 patent at 155:51-156:2 




'193 patent at 160:66-161:51 




'193 patent at 162:39-163:35 




'193 patent at 200:66-201:42 




'193 patent at 211:39-212:10 




'193 patent at 214:59-67 




'193 patent at 2 18:3 1-220: 19 




]y3 patent at 225:50-22o:3o 




'193 patent at 227:25-228:30 




iyj patent at 233:25-35 




'193 patent at 282:56-61 




'193 patent at 283:61-65 




'193 patent at 290:46-62 




071 palCIll al jZZ.jO*Qj 




See "Securelv Receiving"* and "Receiving a first control from wid elearinphmme at 




said first device" (193.19) 


securely receiving a second 


See "Securely receiving a first entity's control at said first appliance" (891.1) 


entity's control at said first 




appliance 




securely processing a data item at 


See "Resource processed in a secure operating environment at a first appliance" 
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Claim Term / Phrase 


InterTrust Evidence 


said first appliance, using at least 
one resource 


(891.1); and "Securely Processing." 


c^nirplv annlvino at qaiH fir<it 

appliance through use of said at 
least one resource said first 
entity's control and said second 
entity's control to govern use of 
said data item 


Pat*»nt CnA4*ifir*a tinnc 
l olClll OPCvlllL.il 11 UI19 

'891 patent at 322:16-18 

See "Resource processed in a secure operating environment at a first appliance" 
(891.1); and "Securely Applying 


4 900:155 




first host processing environment 
comprising 


See Host Processing Environment 


designed to be loaded into said 
main memory and executed by 
said central processing unit 


Patent Specifications 
'900 patent at 82: 12-23 


said tamper resistant software 
comprising: . . . one or more 
storage locations storing said 
information 


Patent Specifications 
'900 patent at 239:50-53 


derives information from one or 
more aspects of said host 
processing environment, 


Patent Specifications 

'900 patent at 239:4-42 


one or more storage locations 
storing said information 


Patent Specifications 
'900 patent at 239:4-21 
'900 patent at 239:50-60 
'900 patent, Fig. 69C 
yyjv paicni, rig. oyo 


information previously stored in 
said one or more storage locations 


Patent Specifications 
'900 patent at 239:15-55 
yuv paicni ai z*t u. j i oh 


generates an indication based on 
the result of said comparison 


Patent Specifications 
4 900 patent at 239:56-64 
'900 patent at 243:32-41 


programming which takes one or 
more actions based on the state of 
said indication 


Patent Specifications 
'900 patent at 239:56-64 
'900 patent at 242:52-67 
'900 patent at 243:32-41 
'900 patent at 243:65-244:2 
'900 patent at 244:33-39 
'900 patent at 247:50-57 


at least temporarily halting further 
processing 


Patent Specifications 
'900 patent at 239:56-64 
'900 patent at 242:52-67 
'900 patent at 243:32-41 
'900 patent at 243:65-244:2 
'900 patent at 244:33-39 
'900 patent at 247:50-57 
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Claim Term / Phrase 


InterTrust Evidence 


'912:8 




identifying at least one aspect of 
an execution space required for 
use and/or execution of the load 
module 


Patent Specifications 
'193 patent at 140:15-46 


said execution space identifier 
provides the capability for 
distinguishing between execution 
spaces providing a higher level of 
security and execution spaces 
providing a lower level of security 


Patent Specifications 
4 193 patent at 140:15-46 

'912 patent at 327:59-61 
'912 patent at 327:64-66 


checking said record for validity 
prior to performing said executing 
step 


Patent Specifications 
'193 patent at 112:46-113:2 

File Histories 

'912 File History, 9/22/98 Office Action, pp. 2-3. 


'91235 




received in a secure container 


Patent Specifications 
'193 patent at 58:48-58 


said component assembly 
allowing access to or use of 
specified information 


Patent Specifications 
'193 patent at 69:66-70:1 
'193 patent at 71:19-20 
'193 patent at 83:53-84:16 
'193 patent at 159:61-160:8 
'193 patent at 230:30-34 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992) ("information") 

'193 patent at 69:66-70:1 
.'193 patent at 71:19-20 
' 193 patent at 230:30-34 


said first component assembly 
specified by said first record 


See "Said component assembly allowing access to or use of specified information" 
(912.35) 




Evidence Relevant to Numerous Disputed Claim Terms and Phrases 




Refreshing a budget 


Patent Specifications 
'193 patent at 131:10-13 
'193 patent at 162:39-65 
'193 patent at 173:21-174:14 


Absolute protection 


Patent Specifications 
'193 patent at 16:25-28 
'193 patent at 35:59-63 
'193 patent at 38:4-12 
'193 patent at 49:59-62 
'193 patent at 80:65-81:8 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 199:38-46 
'193 patent at 221 -2-6 
'193 patent at 222:49-53 
'193 patent at 223:4-10 




'72 1 natent at 2 1 *9-24 
'721 patent at 24:48-56 




Citations from Sources Designated bv Microsoft under PLR 4-2flrt 

Landwehr, Formal Models for Computer Security, ACM Computer Surveys (Sept. 3, 

l7oi ), p. 




r^nrrmntpr Q^r-nritv T4ar»HKrtr»L" *)A e>r\ ^miliar* 1QCG\ *7< OAl 01 O ifli r*i 

v^uinpuier occuniy nanaoooK, za ea. ^xviacrniiiaii, xyooj, pp. /D, zUl, zlo, 2V2-y3 




Hoffman, Modem Methods for Computer Security and Privacy (Prentice-Hall, 1977), 
p. 170. 




Garfinkel et al., Practical Unix Security (O'Reilly & Associates, 1991), pp. 12-13. 




Neumann, Computer Related Risks (ACM Press, 1995), p. 2. 


Alternative control structures 


Patent Specifications 
'193 patent at 28:29-37 
'193 patent at 30:42-31:7 
'193 patent at 3 1:29-56 

* 1 natent of AS* 1 < K 

iyj paicni ai *to. l ooj 
'193 patent at 306:30-65 
'193 patent at 308:29-42 
'193 patent at 308:48-65 
'193 patent at 312:1 1-31 


Digital file versus a copy 


Patent Specifications 
'193 patent at 162:10-15 

1 yo palcm al 1 I - i O 

'193 patent at 278:1 1-21 
'193 patent at 316:16-37 
'193 patent at 324:8-37 
'193 patent at 325:32-40 


Host Processing Environments 
and Secure Processing 
Environments 


Patent Specifications 
'193 patent at 13:7-14 
'193 patent at 79:24-80:21 
'193 patent at 80:65-81:8 
'193 patent at 278:46-65 

'683 patent at 29:51-30:3 

'721 patent at 3:16-21 
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EXHIBIT D 

PLR 4-30>) -Microsoft's Listing of Intrinsic and Extrinsic Evidence 



Each claim phrase incorporates the Intrinsic and Extrinsic support of the individual terms within it 



Claim Term 


MS Construction 


access, accessed, 
access to, 
accessing 

193.15, 193.19, 
912.8,912.35, 
861.58, 683.2, 
721.34 


Intrinsic: 

- "These rights govern use of the VDE object 300 by that user or user group. For instance, the user 
may have an "access" right, and an "extraction" right, but not a "copy" nght. ( 193 159.32) 

- 0193 82:27-45); (' 193 109:53-57); (' 193 11 8:17-31); (193 139:60-140:6); ('193 148:55-58); ('193 
183:12-29); ( 4 193 188:59-67); ( 4 193 1922-24) 

Extrinsic: 2 

Access (n): 2. The use of an access method. 3. The manner in which files or data sets are referred to by 
the computer. 5. In computer security, a specific type of interaction between a subject and an object 
that results in the flow of information from one to the other. (IBM) 

Access (n.): 1 . In access control, a specific type of interaction between a subject and an object that 
results in the flow of information from on to the other 3. In computing, the manner in which files or 
data sets are referred to by a computer (Longley) 4 

Access(ing) (v.): 1 . To obtain the use of a computer resource. 4. To obtain data from or to put data in 
storage. (IBM) 


addressing 
861.58 


Intrinsic: 

"Load modules 1 100 in the preferred embodiment are modular and "code pure" so that individual load 
modules may be reenterable and reusable. In order for components 690 to be dynamically updatable, 
they may be individually addressable within a global public name space." ('193 86:49-53) 

Extrinsic: 

Addressing (v): 1 . A character or group of characters that identifies a register, a particular part of 
storage, or some other data source or destination. 4. A name, label, or number identifying a location in 
storage, a device in a system or network, or any other data source. 5. In data communication, the 
unique code assigned to each device or workstation connected to a network.(IBM) 

Addressing (n.): 1. In computing, a character or group of characters that identifies a register, a 
particular part of storage, or some other data source or destination 2. In computing, to refer to a device 
or an item of data by hs address. (Longley) 

Addressing (v): 1 . In computing, the assignment of addresses to the instructions of a program 

2. In communications, the means whereby the originator or control station selects the unit to which it is 

going to send a message (Longley) 


allowing, allows 

912.35,193.1, 

193.11,193.15, 

193.19 


Intrinsic: 

- SN 08/780,545 (*912): 10/29/98 amendment to claim 21 1 (issued claim 35) "necessary in order to 
gain" to "allowing" 

- VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in authorized 
ways, and (c) allow information regarding content usage to be used only in ways approved by content 
users." ('193 4:51-56) 



1 Citations to the * 193 Patent are representative of citations to the text and drawings of the "Big Book" application also 

published in the 1 891, '900, and '912 Patents. Emphasis is added unless otherwise noted. 

* Extrinsic evidence is cited herein without waiver of any kind, including relevance or probative value. 

3 "IBM" herein refers to IBM Dictionary of Computing, 10 th ed., 1983. 

4 "Longley" herein refers to Longley, D., et al, Information Security: Dictionary of Concepts, Standards, and Terms, 1992 
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- VDE is a secure system for regulating electronic conduct and commerce. Regulation is ensured by 
control information put in place by one or more parties. ('193 6:33-34) 

- VDE ensures that certain prerequisites necessary for a given transaction to occur are met (* 1 93 
20:27-28) 

- 0193 309:10-16); ( 4 193 15:41-46); ('193 17:22-28); C 193 303:67-304:1) 
Extrinsic: 

Least privilege: Each user and each program should operate using the fewest privileges, possible. In 
this way, the damage from an inadvertent or malicious attack is minimized (Pfleeger) 5 


arrangement 
721.34 


See also phrases of use in 72 1 .34. 
Intrinsic: 

An imnAr^Qnt «ni4 r\f \/ j\c nwwui M A/4 V»v/ tKo isrMpnt invpTition i c thp t*f\TP cficurc trail *mcti on control 
f\J\ UHpOnani poll UI V LJIlr piuVlUCU Oj UlC DjcbCUl III V villi ViJ la mc wwc se^iuc uauwwuvu wuiiuui 

arrangement, herein called an SPU (or SPUs), that typically must be present in each user's computer, 
other electronic appliance, or network. ('193 48:66) 


aspect 

900.155,912.8, 
861.58, 6832 


See also phrases of use in 900.155, 912.8, 861.58, 683.2. 
Extrinsic: 

Aspect The qualification of a descriptor. (IBM) 


associated with 

912.8, 193.1, 

193.11,193.15, 

683.2 


Intrinsic: 

- "VDEF load modules, associated data, and methods form a body of information that for the purposes 
of the present invention are called "control information." VDEF control information may be specifically 
associated with one or more pieces of electronic content and/or it may be employed as a general 
component of the operating system capabilities of a VDE installation." ('193 18:36-42) 

- "As mentioned above, virtual distribution environment 100 "associates" content with corresponding 
"rules and controls," and prevents the content from being used or accessed unless a set of corresponding 
"rules and controls" is available." (' 1 93 57: 1 8-22) 

objects 300 with PERCs 808, methods 1000 and load modules 1100." ('193 153:35-38) 

- ( 4 193 55:39-45); ('193 142:50-52); ( l 193 57:30-33); ('861 1:50-53) 
Extrinsic: 

Association: In the Open Systems Interconnection reference model, a cooperative relationship between 
two peer entities, supported by the exchange of protocol control information using the services of the 
next lower layer. (IBM) 


authentication 
193.15 


Intrinsic: 

- A certification key pair may be used as part of a "certification" process for PPEs 650 and VDE 
electronic appliances 600. This certification process in the preferred embodiment may be used to permit 
a VDE electronic appliance to present one or more "certificates" authenticating that it (or its key) can be 
trusted. As described above, this "certification" process may be used by one PPE 650 to "certify" that it 
is an authentic VDE PPE, it has a certain level of security and capability set (e.g., it is hardware based 
rather than merely software based), etc. (' 193 212:66-213:15) 

- "One of the functions SPU 500 may perform is to validate/authenticate VDE objects 300 and other 
items. Validation/authentication often involves comparing long data strings to determine whether they 
compare in a predetermined way." (' 1 93 67:56-60) 



5 "Pfleeger" herein refers to Pfleeger, Security in Computing (1989). 
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- C683 17:20-27); ( 4 683 52:56-60); ('193 1 12:46-61) 
Extrinsic: 

Authentication: 1 . In computer security, verification of the identity of a user or the user's eligibility to 
access an object. 2. In computer security, verification that a message has not been altered or corrupted. 
3. In computer security, a process used to verify the user of an information system or protected 
resources. 4. A process that checks the integrity of an entity. (IBM) 

Authentication: 1. In data security, the act of determining that a message has not been changed since 
leaving its point of origin. 4. In computer security, the act of identifying or verifying the eligibility of 
a station, originator, or individual to access specific categories of information (Longley) 


authorization 
information, 
authorized, not 
authorized 

193.15, 193.19 


Intrinsic: 

- See "allow." 

Several independent comparisons may be used to ensure there has been no unauthorized substitution. 
For example, the public and private copies of the element ID may be compared to ensure that they are 
the same, thereby preventing gross substitution of elements. In addition, a validation/correlation tag 
stored under the encrypted layer of the loadable element may be compared to make sure it matches one 
or more tags provided by a requesting process. This prevents unauthorized use of information. (* 193 
87:47-55) 

"using said authorization information to gain access to or make at least one use of said first digital file" 
(M93 Claim 19) 

Extrinsic: 

Authorization: 1 In computer security, the right granted to a user to communicate with or make use of a 
computer system. 2. An access right. 3. The process of granting a user either complete or restricted 
access to an object, resource, or function. (IBM) 

Authorization: (1) In access control, the granting to a user, a program, or a process the right of access. 
(2) In operations, the right given to a user to communicate with or make use of a computer system or 
stored data. 3. The privilege granted to an individual by a designated official to access information 
based upon the individual's clearance and need-to-know. (Longley) 

Authorization: "A system control feature mat requires specific approval before the processing can take 
place." (Webster's New World Dictionary of Computer Terms, 4 th ed., 1992) 


budget control; 
budget 

193.1 


Intrinsic: 

. ""Budgets" 308 shown in FIG. 5B are a special type of "method" 1000 that may specify, among 
other things, limitations on usage of information content 304, and how usage will be paid for. Budgets 
308 can specify, for example, how much of the total information content 304 can be used and/or 
copied. The methods 310 may prevent use of more than the.amount specified by a specific budget" 
0 1 93 59: 1 9-25) (See also Fig. 5B) 

- "For example, consider the case of a security budget. One form of a typical budget might limit the 
user to 10Mb of decrypted data per month." 0 193 265:9-1 1) 

- "An example of the process steps used for the move of a budget record might look something like 
this: 1 ) Check the move budget (e.g., to determine the number of moves allowed) ('193 265 :24-27) 

- "BUDGET method 408 may store budget information in a budget UDE" 0 193 182:25-26) 

• "In the preferred embodiment, a "method" 1000 is a collection of basic instructions, and information 
related to basic instructions, that provides context, data, requirements and/or relationships for use in 
performing, and/or preparing a perform, basic instructions in relation to the operation of one or more 
electronic appliances 600." (*193 85:43-48; repeated essentially at '193 136:20-25) 

- BUDGET method 408 may result in a "budget remaining" field in a budget UDE being decremented 
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by an amount specified by BILLING method 406. ('193 182:22-30) 

- 0193 58:27-34); ('193 187:48-50); ('193 235:3<M2); ('193 143:63 - 144:14); ('193 265:44-51) 
Extrinsic: 

Budget: A budget is the control mechanism for a meterable feature. A budget provides an upper limit 
for the volume of a meterable feature that a user (client) may use. Budgets consist of two values: a 
ceiling limit on use and an increment value that is added to the associated meter when a meterable event 
occurs. Budgets may be stand-alone or cascaded A stand-alone budget only increments the meters for 
itself, while a cascaded budget can increment many meters from a single meterable event. A budget 
consists of an identification sextet, a descriptive area that describes the budget (cascade budget tuple 
and other miscellaneous flags), and a series of budget tuples. Each budget tuple consists of a budget 
and the increment value. It should be noted that a budget may be specified in meterable events or in 
dollars, based on the type of meter the budget will be compared against (VDE ROI Device vl .0a, 9 
Feb 1994, IT00008582) 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions. (IBM) 

Budget Object A governed element that defines the consumer's ability to provide payment using a 
specific payment type. ((ITG, 1997-1998, ML00012B) 6 

Budget Object: An InterTrust system object that defines the consumer's ability to provide payment 
using a specific payment type, ((emphasis added) IT System Developers Kit, 1997, TD00298C) 

Budget: A control mechanism that limits operations on content based on billed amounts that can 
maintain a budget trail. A budget may be financially based (e.g., a number of dollars available for 
purchasing content use) or abstract (e.g. a total number of permitted usages). VTG, 3/7/95, 
IT00709617) 

Budget *A fixed quantity of money, time, etc. against which the cost of operation is charged. Budget 
activities usually also involve reporting. ((ITG, 8/21/95, IT0032371) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node. ((ITG, 5/12/95, IT00028293) 

Control: A business rule that governs the use of content. ((ITG, 1997-1998, ML00012B) 
Control: A set of rules and consequences that apply to a governed element. The term control can apply 
to either a control program or a control set. ((ITG, 1997-2000, ML00012D) 
Control: 'Control Element A data structure that givems (sic) the operation of a control mechanism 
(e g meter element, budget element, report element, trail element). 'Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. 'Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter; a creator using that 
mechanism could alter the parameter but not change the mechanism itself. ((ITG, 3/7/1995, 
IT0070961 8, see footnote 2) 


can be 
193.1 


Intrinsic: 

VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in authorized 
ways and (c) allow information regarding content usage to be used only in ways approved by content 



6 "(ITG" herein is a generic reference to several InterTrust glossaries that are further identified by Bates number or IT 
document number. 
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users." ('193 4:51-56) 

- VDE is a secure system for regulating electronic conduct and commerce. Regulation is ensured by 
control information put in place by one or more parties. (*193 6:33-35) 

- It also employs a software object architecture for VDE content containers that carries protected 
content and may also carry both freely available information (e.g, summary, table of contents) and 
secured content control information which ensures the performance of control information. (*193 
15:41-46) 

- Because of the breadth of issues resolved by the present invention, it can provide the emerging 
"electronic highway" with a single transaction/distribution control system mat can, for a very broad 
range of commercial and data security models, ensure against unauthorized use of confidential and/or 
proprietary information and commercial electronic transactions. (' 193 17:22-28) 

- VDE ensures that certain prerequisites necessary for a given transaction to occur are met. (' 1 93 
20*27-28) 

- "support "launchable" content, that is content that can be provided by a content provider to an end- 
user, who can then copy or pass along the content to other end-user parties without requiring the direct 
participation of a content provider to register and/or otherwise initialize the content for use." (* 1 93 
24:57-62) 

- "For example, budget process 408 may limit the number of times content may be accessed or 
copied, or it may limit the number of pages or other amount of content that can be used based on, for 
example, the number of dollars available in a credit account" (' 193 58:28-32) 

- "Budgets 308 can specify, for example, how much of the total information content 304 can be used 
and/or copied. The methods 310 may prevent use of more than the amount specified by a specific 
budget" ('193 59:22-25) 

- "As an alternative example, a creator may allow moving of usage rights by a distributor to half a 
dozen subdistributors, each of whom can distribute 10,000 copies, but with no redistribution rights 

u «ii« w */4 to Ka aiirt^atwH trt cnhHictrthiitrtrQ' ^rpHistributors 1 ^ customers. ... Content oroviders and 
other contributors of control information have the ability through the use of permissions records and/or 
component assemblies to control rights other users are authorized to delegate in the permissions records 
they send to those users, so long as such right to control one, some, or all such rights of other users is 
either permitted or restricted (depending on the control information distribution model) " ( 4 1 93 269:34- 
49) 

"In such systems, because document content can be freely copied and manipulated, it is not possible to 
determine where document content has gone, or where it came from." (' 1 93 28 1 :33-36) 


capacity 
683.2 


Intrinsic: 

"Some items may be too large to store within container 302." (*193 58:54-55)- 

( l 193 243:23 -244:48) 

Extrinsic: 

Capacity: See channel capacity, storage capacity.(IBM) 

Channel Capacity: The measure of the ability of a given channel subject to specific constraints to 

Mtmmi't morconoe frnm a c«or*!fI^*4 mPcCQOP CHlirr? PYTVPCQ&rf fll GltnCT tfifi 1*113X1 TO UtTl DOSSlDlC TTlESn 
u <inS mi I messages JXOm a spcdilCU UiCbdagC suiutc caj;j taa&u cu biuiw uiw uiuAuiiuin pvMiuiw jiAwtui 

transinformation content per character or the maximum possible average transinformation rate, which 
can be achieved with an arbitrary small probability of errors by use of an appropriate code. (IBM) 

Storage capacity: The amount of data that can be contained in a storage device measured in binary 
characters, bytes, words, or other units. For registers, the term "register length" is used with the same 
meaning. Synonymous with storage size. (IBM) 


clearinghouse 


Intrinsic: 
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193.19 


- "Distribution involves three types of entity. Creators usually are the source of distribution. They 
typically set the control structure "context" and can control the rights which are passed into a 
distribution network. Distributors are users who form a link between object (content) end users and 
object (content) creators. They can provide a two-way conduit for rights and audit data. Clearinghouses 
may provide independent financial services, such as credit and/or billing services, and can serve as 
distributors and/or creators. Through a permissions and budgeting process, these parties coDectively can 
establish fine control over the type and extent of rights usage and/or auditing activities." ('193 267:34- 
45) 

- "Payment credit or currency may then be automatically communicated in protected (at least in part 
encrypted) form through telecommunication of a VDE container to an appropriate party such as a 
clearinghouse, provider of original property content or appliance, or an agent for such provider (other 
than a clearinghouse). M ('1 93 36:64-37:3) 

"if appropriate credit (e.g. an electronic clearinghouse account from a clearinghouse such as VISA or 
AT &T) is available" C 193 25:22-24) 

Extrinsic: 

Clearinghouse: *A facility that receives reports of content use and in turn reports payments and usage 
to content creators and distributors. (ITG, 8/21/95, IT00032372, TD00068B) 


compares, 
comparison 

900.155 


Intrinsic: 

"ROS 602 also provides a tagging and sequencing scheme that may be used within the loadable 
component assemblies 690 to detect tampering by substitution. Each element comprising a component 
assembly 690 may be loaded into an SPU 500, decrypted using encrypt/decrypt engine 522, and then 
tested/compared to ensure that the proper element has been loaded. Several independent comparisons 
may be used to ensure there has been no unauthorized substitution. For example, the public and private 
copies of the element ID may be compared to ensure that they are the same, thereby preventing gross 
substitution of elements." ('193 87:41-51) 

Extrinsic: 

Compare: 1 . To examine two items to discover their relative magnitudes, their relative positions in an 
order or in a sequence, or whether they are identical in given characteristics. 2. To examine two or 
more items for identity, similarity, equality, relative magnitude, or order in a sequence.(IBM) 

Comparison: The process of examining two or more items for identity, similarity, equality, relative 
magnitude, or for order in sequence. (IBM) 


component 
assembly 

912.8,912.35 


Intrinsic: 

• "Many such load modules are inherently configurable, aggregatable, portable, and extensible and 
singularly, or in combination (along with associated data), run as control methods under the VDE 
transaction operating environment." ('193 25:48-52) 

- ('193 77:12-27); C 193 83:11-22); C 193 181:20-21); ( 4 193 272:29-36) 

"Components 690 are preferably designed to be easily separable and individually loadable. ROS 
602 assembles these elements together into an executable component assembly 690 prior to loading 
and executing the component assembly (e.g., in a secure operating environment such as SPE 503 
an a/or Hrfc 055). ( 1VJ Si .43-48; 

- ('193 83:23); ('193 85:21-29 see '193 170:2-4); (' 193 86:51-52); ('193 87:41-62); ('193 109:24- 
45); ('1 93 115:65-116:4); ('193 116:30-34); (M 93 185:42-46) 

Extrinsic: 

Component: 1 . Hardware or software that is part of a functional unit. 2. A functional part of an 
operating system. 3. A set of modules that performs a major function within a system. (IBM) 

Component: In data communications, a device or set of devices, consisting of hardware, along with its 
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firmware and or software that performs a specific function on a computer communications network. A 
Component is a part of a larger system, and may itself consist of other components. (Longley) 

"Thus PERC 808 in effect contains a "list of assembly instructions" or a "plan" specifying what 
elements ROS 602 is to assemble together into a component assembly and how the elements are to be 
connected together. PERC 808 may itself contain data or other elements that are to become part of the 
component assembly 690." ( l 193 8530-39) 


contain, 

contained, 

containing 

6832,912.8, 
912.35 


Intrinsic: 

. "Container 300y may contain and/or reference rules and control information 300y(l ) that specify 
the manner in. which searching and routing information use and any changes may be paid for." ( 4 193 
241*36-39) 

- "Each logical object structure 800 may also include a "private body" 806 containing or referencing 
a set of methods 1000 (i.e., programs or procedures) that control use and distribution of the object 

300." C193 128:25-28) ... . ' - cn9 

- "Therefore, stationary object structure 850. does not contain a permissions record (PERC) 808; 
rather, this permissions record is supplied and/or delivered separately (e.g., at a different time, over a 
different path, and/or by a different party) to the appliance/installation 600. (' 193 130:1 8-22) 

- "The content portion of a logical object may be organized as information contained in, not 
contained in, or partially contained in one or more objects." ('193 127:8-19) 

- "Therefore stationary object structure 850 does not contain a permissions record (PERC) 808; 
rather, this permissions record is supplied and/or delivered separately (e.g., at a different time, over a 
different path, and/or by a different party)" (' 1 93 1 30: 1 8) 

Cm 58-49-58); 0193 86:47^8); ('193 87:3-6); ('193 130:63-64); ('193 136:32-34); ('193 
241:36-39); ( 4 683 54:29-37) 

See also prior art referred to the relevant InterTrust patent file histories, e.g. U.S. Patent 5,715,403 
Extrinsic: 

"Container. A contains protected content, which is divided into one or more atomic elements, and, 
optionally, PERCs governing the content and may be manipulated only as specified by a PERC. " (ITG, 
4/6/95, IT00028206, see footnote 2 and 4) 

"Container A packaging mechanism, consisting of: *One or more Element-derived components. *An 
organization mechanism which provides a unique name within a flat namespace for each of the 
components in a Container." (ITG, 5/12/95, IT00028293) 

"Container A protected digital information storage and transport mechanism for packaging content 
and control information." (ITG, 8/21/95, IT00032372, TD00068B) 

Container: A collection of content and control-related information. (IT VDE Container Overview, 
2/10/95, JT00051228,ETM-9999 Version 0.21) t 
Contain- In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley, Information Security dictionary of Concepts, 
Standards, and Terms (1992) 
USP 5,369,702 

Que's Computer Programmer's Dictionary ("Que") ("A dynamic data structure, the elements of which 
are arbitrary data items whose type is not known when the program is written. 
Dictionary of Computer Science Engineering and Technology (2001) ("Abstract data type storing a 
collection of objects (elements) 1 ') 

IT00037-44, IT002734-39, IT004188-96, IT0031572-85, IN00075960, 1T00703055-71, IT0052146-64, 
FN00441 1 89-224, IN0075983-87 

See also Microsoft PLR 4-2 Exhs. E & F as revised, and InterTrust^ Rule 30(b)(6) testimony. 
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control (n.) 

193.1, 193.11, 
193.15, 193.19, 
891.1 


Intrinsic: 

"Claims ... are allowable over the prior art of record. The instant claims provide for first and 
second entity or control or procedure or executable code that axe separately, remotely and different 
from each to combine or process or execute an operation or procedure based on at least first and 
second control or procedure or executable code in an electronic appliance or secure operating 
environment or third parry different and remote from the first and second entity or control or procedure 
or executable code." 08/964,333 ('891), Office Action, 09/22/98, p. 3 (MS1028945) 

The virtual distribution environment 100 prevents use of protected information except as 
permitted by the "rules and controls" (control information). " ('193 56:26) 

"As mentioned above, virtual distribution environment 100 "associates" content with 
corresponding "rules and controls," and prevents the content from being used or accessed unless a set 
of corresponding "rules and controls" is available." ('193 57:18-22) 

- "at least one rule and/or control associated with the software agent that governs the agenf s 
operation." ( 4 193 2412-3) 

- "In this example control information may include one or more component assemblies that describe 
the articles within such a container (e.g. one or more event methods referencing map tables and/or 
algorithms that describe the extent of each article) " ('193 309:5-9) 

- ""Even if a consumer has a copy of a video program, she cannot watch or copy the program unless 
she has lt rules and controls" that authorize use of the program. She can use the program only as 
permitted by the "rules and controls." 0 1 93 53 :60-63) 

- "A control set 914 contains a list of required methods that must be used to exercise a specific right 
(i.e., process events associated with a right) " (* 193 151:14-16) 

- "If necessary, trusted go-between 4700 may obtain and register any methods, rules and/or controls it 
needs to use or manipulate the object 300 and/or its contents (FIG. 122 block 4778)." ( 4 683, sheet 188) 

See also prior art referred to the relevant InterTrust patent file histories. 

MSI026598-602, 26626-7, 26630-42; MSI 028808-1 1 , 28846-52, 28728-62, 28857-58, 28944-97, 
28953-56 

Extrinsic: 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions. (IBM) 

"5. Control Notes ... A Control must execute as a transaction ... A Control may require pre-conditions 

- that is that one or more other Controls have been executed before the Control is executed. [] 7. 
Control Execution Flow The following pseudocode describes the approximate execution sequence for a 
View Control Q 8. Operation of a Control (Execution of "Rules and Consequences") . . (VDE 
Controls Notes, IT0005 1953-55) 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 
to either a control program or a control set. (ITG, 1997-2000, ML00012D) 

Control: 'Control Element: A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). 'Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. 'Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter; a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/1995, 
IT0070961 8, see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
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implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node.(ITG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT00032373, TD00068B) 

Control: An object of the InterTrust Commerce Architecture that specifies business rules. Controls are 
applied at any time and at any point in the Chain of Handling and Control. InterTrust controls are 
dynamic, independent, and persistent (ITG, 11/17/96, IT00035865, TO00189J) 

"Rules and Controls" means any electronic information that directs, enables, specifies, describes, and/or 
provides contributing means for performing or not-performing, permitted and/or required operations 
related to Content, including, for example, restricting or otherwise governing the performance of 
operations, such as, for example, Management of such Content (License Agreement, 
InterTrust/Universal Music Group, 4/13/99, Exhibit 1 1 to InterTrust 30(bX6)) 

"A set of control elements corresponding to all of the property elements of a property. There may be 
zero or more controls for a given property." (IT 28204) 

"Defines rules and consequences for operations on a Property Chunk ... A single control applies to 
exactly one Property Chunk" (IT 28293) 

"CONTROL(S): Controls refer to the rules and consequences associated with DigiBox containers. 
Controls may be applied dynamically. . " (IT 35961) 

"CONTROL: The rules associated with a governed entity such as a DigiBox container, property, or 
another control . . . applied dynamically. InterTrust controls are dynamic, independent, and persistent" 
(IT 35920) 

". . . controls implement business rules" (IT 35892) 

Webster's New World Dictionary of Computer Terms, 4th Ed. (1992) ("The function of performing . 
required operations when certain specific conditions occur or when interpreting and acting upon 
instructions."); IT00125, IT31410-14, IT703083-89, IT51721-26, IT00735936 (key), IT51956 et seq., 
IN0075983-87, IN0075989-93; The Dictionary of Computing & Digital Media (1999) (control card) 

See also Microsoft PLR 4-2 Exhs. E&Fas revised, and InterTrust's Rule 30(b)(6) testimony. 


controlling, 
control (v.) 

861.58, 193.1 


Intrinsic: 

- "ROS 602 includes software intended for execution by SPU microprocessor 520 for, in part, 
controlling usage of VDE related objects 300 by electronic appliance 600. As will be explained, these 
SPU programs include "load modules" for performing basic control functions." ('193 66:5-8) 

"VDE prevents many forms of unauthorized use of electronic information, by controlling and 
auditing (and other administration of use) electronically stored and/or disseminated information." 
('193 11:60-63) 

- ('193 15:41-46); ('193 20:27-28); ('193 56:26-28); ('193 57:18-22) ('193 4:51-56); ('193 6:33-35); 
(M93 15:41-46); ('193 17:22-28); ('193 20:27-28) 

Pvtrmcir* 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions. (IBM) 

Control: In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 
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to either a control program or a control set. (ITG, 1997-2000, ML00012D) 

Control: ^Control Element A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). * Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/1 995, 
IT0070961 8, see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node. (ITG, 5/12/95, IT0O028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT0O032373, TD00068B) 


copied file 
193.11 


Intrinsic: 
Extrinsic: 

Copy: A product of a document copying process. (IBM) 


copy, copied, 
copying 

193.1, 193.11, 
193.15, 193.19 


Intrinsic: 

"These rights govern use of the VDE object 300 by that user or user group. For instance, the user 
may have an "access" right, and an "extraction*' right, but not a "copy" right." (* 1 93 159:23-26) 

"At the same time, electronic testing will allow users to receive a copy (encrypted or 
unencrypted) of their test results when they leave the test sessions." ('193 319:12-15) 

- 0193 129:3-8); C 193 claim 60); ('193 53:60-62); ('193 131:65-132:1) 

Extrinsic: 

Copy: A product of a document copying process. (IBM) 


copy control 
193.1 


Intrinsic: 

. "If the user's budget permits the extraction ("yes" exit to decision block 2088), then the EXTRACT 
method 2080 creates a copy of the extracted object with specified rules and control information (block 
2094). In the preferred embodiment, this step involves calling a method that actually controls the 
copy." ("193 194:36-42) 

Extrinsic: 

Copy Control: In the 3800 Printing Subsystem, the functions that determine the number of copies to be 
printed for each data set, and which copies will be printed with a forms overlay or have copy 
modification. (IBM) 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 
to either a control program or a control set. (ITG, 1997-2000, ML00012D) 

Control: ^Control Element: A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). * Control mechanism: One of the 
mechanisms that controls and performs operations oh a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
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<^fltfl structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/95, IT00709618, 
see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node.(ITG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT00032373, TD00068B) 


data item 
891.1 


Extrinsic: 

Data Item: 1 . The smallest unit of named data that has meaning in the schema or subschema. 2. A unit 
of data, either a constant or a variable, to be processed. 3. In the ADC operating system, a unit of data to 
be processed that includes constants, variable, or array elements, and character substrings. 6. 
Synonymous with host variable. (IBM) 

Data Item: In databases, the smallest unit of data that has independent meaning. (Longley) 

Item List: A list of data included with various objects. Item lists take two forms. When they are first 
created, they are in the form of lists that contain one or more data items. When you are finished 
creating the list, you convert the list to a blob, which is a set of raw bits that store the data in a compact 
way. To retrieve items from the item list, you use the Interoperability Library item list functions, which 
convert the blob back to its interpreted list form and allow you to inspect the data items. (ITG, 1997- 
1998.ML00012B) 

Data Item: An Element-derived bag of bits, (e.g., budget , meter, etc.) (ITG, 5/12/95, IT00028293) 


derive, derives 
900.155 


Intrinsic: 

"Such control information can continue to manage usage of container content if the container is 
"embedded" into another VDE managed object, such as an object which contains plural embedded VDE 
containers, each of which contains content derived (extracted) from a different source." ('193 28:60-65) 

Extrinsic: 


descriptive data 
structure 

861.58 


Intrinsic: 

"The descriptive data structure can be used as a template" to help create, and describe to other nodes, 
rights management data structures including being used to help understand and manipulate such rights 
management data structures." ('861 5:43-46) 

"Claims [1,10,25,26] are rejected under 35 U.S.C. 102(b) as being clearly anticipated by the common 
and decades-old practice of using database schema to describe the structure of a database which 
requires password/identifications for access. ... Claims [1-17,25-26] are rejected under 35 U.S.C. 
102(a) as being anticipated by Anderson et al (Anderson), USP 5,537,526, Method and Apparatus for 
Processing a Display Document Utilizing a System Level Document. The claims are rejected on the 
basis of the correspondence between the teachings of Anderson and the elements of the claims as 
follows: As to claim 1 (and 10), the TabstractModel 502 is a machine readable, abstract descriptive 
data structure which interoperates with Tmodels 506 (TM), and TmodelSurrogates 504 (TMS). ... 
These models are clearly data structures, and while they can be of many types, the data they manage 
can include restrictions that correspond to rights management." (08/805,804 ( l 861), Office Action, 
06/25/98, p. 2-3) 

- "The above-referenced Ginter et al. patent specification describes, by way of non-exhaustive 
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example, "templates" that can art as a set (or collection of sets) of control instructions and/or data for 
object control software. See, for example, the "Object Creation and Initial Control Structures," 
"Templates and Classes," and "object definition file," "information" method and "content" methods 
discussions in the Ginter et al. specification. The described templates are, in at least some examples, 
capable of creating (and/or modifying) objects in a process that interacts with user instructions and 
provided content to create an object Ginter et al. discloses that templates may be represented, for 
example, as text files defining specific structures and/or component assemblies, and that such 
templates— with their structures and/or component assemblies-may serve as object authoring and/or 
object control applications. Ginter et al. says that templates can help to focus the flexible and 
configurable capabilities inherent within the context of specific industries and/or businesses and/or 
applications by providing a framework of operation and/or structure to allow existing industries and/or 
applications and/or businesses to manipulate familiar concepts related to content types, distribution 
approaches, pricing mechanisms, user interactions with content and/or related administrative activities, 
budgets, and the like. This is useful in the pursuit of optimized business models and value chains 
providing the right balance between efficiency, transparency, productivity, etc. 

The present invention extends this technology by providing, among other features, a machine 
readable descriptive data structure for use in association with a rights management related (or other) 
data structure such as a secure container" (* 861 4:65) 

- "For example, the FIG. 2 A example descriptive data structure headline definition 202a does not . 
specify a particular headline (e.g., "Yankees Win the Pennant!"), but instead defines the location (for 
example, the logical or other offset address) within the container data structure 100a (as well as certain 
other characteristics) in which such headline information may reside." ('861 10:54-59); 

- "These descriptive data structure ("DDS") templates may be used to create containers " ('861 6:26- 
32); 

- "the descriptive data structure may be used in a creation process 302. The creation process 302 may 
read the descriptive data structure and, in response, create an output file 400 with a predefined format 
such as, for example, a container 100 corresponding to a format described by the descriptive data 
structure 200." ('861 1 1 :60-64) 

- "The output of the layout tool 300 may be a descriptive data structure 200 in the form of, for 
example, a text file. A secure packaging process 302a may accept container specific data as an input, 
and it may also accept the descriptive data structure 200 as a read only input. The packager 302a could 
be based on a graphical user interface and/or it could be automated. The packager 302a packages the 
container specific data 314 into a secure container 100." ('861 12:9-16) 

- "FIG. 24 shows an example of a user data element (UDE") 1200 provided by the preferred 
embodiment. As shown in FIG. 24, UDE 1200 in the preferred embodiment includes a public header 
802, a private header 804, and a data area 1206. The layout for each of these user data elements 1200 
is generally defined by an SGML data definition contained within DTD 1 108 associated with one or 
more load modules 1 100 that operate on the UDE 1200." ('193 143:21-28) 

- "The publisher 3308 may create or otherwise provide content and/or VDE control structure 
templates that are delivered to the local repository 3302 for use by other participants who have access 
to the "internal" network. The templates may be used to describe the structure of containers, and may 
further describe whom in the publisher 3308's organization may take which actions with respect to the 
content created within the organization related to publication for delivery to (and/or referencing by) 
the repository 3302. For example, the publisher 3308 may decide (and control by use of said temple) 
♦Kat a n#»rinHir»l nnhlirfltinn will have a certain format with resDect to the structure of its content and 
the types of information that may be included (e.g. text, graphics, multimedia presentations, 
advertisements, etc.), the relative location and/or order of presentation of its content, the length of 
certain segments, etc. Furthermore, the publisher 3308 may, for example, determine (through 
distribution of appropriate permissions) that the publication editor is the only party that may grant 
permissions to write into the container, and that the organization librarian is the only party that may 
index and/or abstract the content." ('193 294:65-295:18) 

- "templates may be represented as text files defining specific structures and/or component 
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assemblies. Templates, with their structure and/or component assemblies may serve as VDE object 
authoring or object control applications. 0 193 260:36-47) 

- "...The result of object definition 1240 may be an object configuration file 1240 specifying certain 
parameters relating to the object to be created. Such parameters may include, for example, map 
tables, key management specifications, and event method parameters. The object construction stage 
1230 may take the object configuration file 1240 and the information or content to be included within 
the new object as input, construct an object based on these inputs, and store object repository 728." 
0193 103:38-46) 

- "In accordance with one example, the machine readable descriptive data structure provides a 
description that reflects and/or defines corresponding structure(s) within the rights management data 
structure. For example, the descriptive data structure may provide a recursive, hierarchical list that 
reflects and/or defines a corresponding recursive, hierarchical structure within the rights management 
data structure. In other examples, the description(s) provided by the descriptive data structure may 
correspond to complex, multidimensional data structures having 2,3, or n dimensions. The descriptive 
data structure may directly and/or indirectly specify where, in an associated rights management data 
structure, corresponding defined data types may be found. The descriptive data structure may further 
provide metadata that describes one or more attributes of the corresponding rights management data 
and/or the processes used to create and/or use it In one example , the entire descriptive data structure 
might be viewed as comprising such metadata." ('861 5:57- 6:7) 

- ( 4 193 245:44-51); 0683 32:41-53); ('861 5:25-41); 0861 10:49-59); 0861 12:9-11); 0861 13:21- 
27); ('861 20:25-47); 0193 259:37-51); 0193 298:41-62); 0193 103:3-32); 0193 285:9-35); 0193 
193:49-59); ('193 287:37-41) 

Extrinsic: 


designating 
721.1 


Intrinsic: 
Extrinsic: 


device class 
721.1 


Intrinsic: 

"Furthermore, Applicants respectfully submit that some of the terms cited by the Examiner as 
"indefinite" are either well-known by persons skilled in the art or inherently clear. For example, in 
Claims 1-4, 22-25, the term "class" is used as part of the phrase "device class." Applicants respectfully 
submit that "device class" is inherently clear, meaning a group of devices which share at least one 
attribute." (08/689,754 0721), Amendment, 04/14/99, p. 14) 

Extrinsic: 

Device: 1 . A mechanical, electrical, or electronic contrivance with a specific purpose.(IBM) 
Device class: The generic name for a group of device types.(IBM) 

Device type: 1 . The name for a kind of device sharing the same model number, for example, 23 1 1 , 
2400, 2400-1 . Contrast with device class. (2) The generic name for a group of devices; for example, 
5219 for IBM 5219 Printers. Contrast with device class. (IBM) 


digital file 

193 1 193 11 
193.15, 193.19 


Intrinsic: 
Extrinsic: 

File: "A complete, named collection of information, such as a program, a set of data used by a program, 
or a user-created document. A file is the basic unit of storage that enables a computer to distinguish one 
set of information from another. A file is the "glue" that binds a conglomeration of instructions, 
numbers, words, or images into a coherent unit that a user can retrieve, change, delete, save, or send to 
an output device." (Microsoft Computer Dictionary, 3" 1 ed., 1997) 


digital signature, 
digitally signing 


Intrinsic: 

"There exist many well known processes for creating digital signatures. One example is the Digital 
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721.1 


Signature Algorithm (DSA). DSA uses a public-key signature scheme that performs a pair of 
transformations to generate and verify a digital value called a "signature." (*721 10:60-64) 

- ( l 721 4:64-67); ('721 11:7-22); ( 4 721 14:49-60); ('721 14:64-15:2) 

"Certificates play an important role in the trustedness of digital signatures, and also are important 
in the public-key authentication communications protocol (to be discussed below). In the preferred 
embodiment, these certificates may include information about the trustedness/level of security of a 
particular VDE electronic appliance 600 (e.g., whether or not it has a hardware-based SPE 503 or is 
instead a less trusted software emulation type HPE 655) that can be used to avoid transmitting certain 
highly secure information to less trusted/secure VDE installations." ('193 203:58-67) 

Extrinsic: 

Digital Signature: In computer security, encrypted data, appended to or part of a message, that enables a 
recipient to prove the identity of the sender. (IBM) 

Digital Signature: 1 . In authentication, data appended to, or a cryptographic transformation of, a data 
unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect 
against forgery. 2. In authentication, a data block appended to a message, or a complete encrypted 
message, such that the recipient can authenticate the message contents and/or prove that it could only 
have originated with the purported sender. (Longley) 

"Let B be the recipient of a message M signed by A, then A* s [digital] signature must satisfy three 
requirements: 

1 . B must be able to validate A's signature on M. 

2. It must be impossible for anyone, including B, to forge A's signature. 

3. In case A should disavow signing a message M, it must be possible for a judge or third party to 
resolve a dispute arising between A and B. 

A digital signature therefore establishes sender authenticity [] it also establishes data authenticity." 
(Denning, p. 14) 7 

"A cipher in unconditionally secure if, no matter how much ciphertext is intercepted, there is not 
enough information in the ciphertext to determine the plaintext uniquely." (Denning, p.5) (Davies, p. 
41,380) 

"A cipher is computationally secure, or strong, if it cannot be broken by systematic analysis with 
available resources." (Denning, p.5) (Davies, p.4 1, 370) 


entity's control 
891.1 


Intrinsic: 

- "A public-key certificate is someone's public key "signed" by a trustworthy entity such as an authentic 
PPE 650 or a VDE administrator. " ('193 203:42-45) 

- "Distribution involves three types of entity. Creators usually are the source of distribution. The 
typically set the control structure "context" and can control the rights which are passed into a 
distribution network. Distributors are users who form a link between object (content) end users and 
object (content) creators, they can provide a two-way conduit for rights and audit data. 
Clearinghouses may provide independent financial services, such as credit and/or billing services, and 
can serve as distributors and/or creators. Through a permissions and budgeting process, these parties 
collectively can establish fine control over type and extent of rights usage and/or auditing activities." 
CI 93 267:34-45) 

Extrinsic: 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 



7 "Denning" herein refers to Denning, D., Cryptography and Data Security, 1983, MSI085569. 
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to either a control program or a control set (ITG, 1997-2000, ML00012D) 

Control: * Control Element. A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). * Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter; a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/95, IT00709618, 
see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node. (ITG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage repunmg cic* \i i u, of*, ity j, i i uuujaj / j, i L/wwuoBy 


environment 

912.35, 900.155, 

891.1,683.2, 

721.34 


Intrinsic: '721 file history Rejection 10/15/98, Amendment 4/19/99 at 13-15 
Extrinsic: 

"Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment? 
(ITG, 8/21/95, IT00032375, TD00068B) 


executable 

programming, 

executable 

912.8, 912.35, 
721.34 


Intrinsic: 

- "Furthermore, applicants* independent claims 16, 36, 37 and 64 require secure delivery and use of 
plural executable items. See claim 16 ("securely delivering a first procedure ... securely delivering ... 
a second procedure separable or separate from said first procedure... "); claim 36 ("securely delivering 
plural executable procedures ..."), claim 37 ("securely delivering a first piece of executable code ... 
securely delivering a second piece of executable code ...") and claim 64 ("securely receiving a first 
load module . . . securely receiving a second load module ..."). These features are not taught or 
suggested by either Rosen or Johnson. Johnson's databases comprise data, not executable code." 

(08/388,107, Amendment, 06/20/97, p. 24-25) (MSI028848-49) 

"In addition, Applicants would like to draw the Examiner's attention to other sections of the 
specification in support of words or phrases cited by the Examiner as "indefinite.'' . . . The noun 
"executable," as used in Claims ... 34-36 is defined in the specification on page 7." (pg. 13-14) 
(page 7 of the original specification is '721 2:62-3:13 of the issued patent) 
(08/689,754 ( 4 721), Amendment, 04/14/99, p. 14) 

Extrinsic: 

Execute: 1. To perform the actions specified by a program or a portion of a program. (IBM) 

Executable: 1 . Program that has been link-edited and therefore can be run in a processor; The set of 
machine language instructions that constitute the output from the compilation of a source 
program. (IBM) 

Executable Programming: 1 . A program that has been link-edited and therefore can be run in a 
processor. 2. The set of machine language instructions that constitute the output from the compilation 
of a source program. (IBM) 


execution space, 
execution space 


Intrinsic: 

"One important security layer involves ensuring that certain component assemblies 690 are formed, 
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identifier 
912.8 


loaded and executed only in secure execution space such as provided within an SPU 500." ( l 193 
87:35-38) 

"The following is an example of a possible field layout for load module public header 802: ... 
Execution Space Code: Value that describes what execution space (e.g., SPE or HPE) this load module 
(sic)." 0193 140:15-35) 

"The Ginter et al. patent disclosure describes, among other things, techniques for providing a 
secure, tamper resistant execution spaces within a "protected processing environment" for computer 
programs and data. The protected processing environment described in Ginter et al. may be hardware- 
based, software-based, or a hybrid. It can execute computer code the Ginter et al. disclosure refers to 
as "load modules."" ('721 3:16-23) 

"Furthermore, Applicants respectfully submit that some of the terms cited by the Examiner as 
"indefinite" are either well-known by persons skilled in the art or inherently clear. ... Furthermore, 
Applicants respectfully submit that the term "execution spaces," as used in Claim 32, is well-known in 
the art. It refers to a resource which can be used for execution of a program or process." 

08/689,754 (721), Amendment, 04/14/99, p. 14 

- ('193 86:39-47); (*1 93 88:38-43); ('193 104:39-44); C 193 140:37-50) 

"The SPE (HPE) load module execution manager ("LMEM") 568 loads executables into the 
memory managed by memory manager 578 and executes them. LMEM 568 provides mechanisms for 
tracking load modules that are currently loaded inside the protected execution environment. LMEM 568 
also provides access to basic load modules and code fragments stored within, and thus always available 
to, SPE 503. LMEM 568 may be called, for example, by load modules 1 100 that want to execute other 
load modules." ( 4 1 93 1 1 1 :20-28) 

"The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment 
and execution space." (' 193 69:33-35) 

SPU 500 general purpose RAM 534 provides, among other things, secure execution space for 
secure processes. ('193 70:43-44) 

Extrinsic: 

Execution: The process of carrying out an instruction or instructions of a computer program by a 
computer.(IBM) 

Tanenbaurn 


governed item 
683.2 


Intrinsic: 

- See "Allow" 

- "If an image representation of a signature is stored on portable media or in a directory service, the 
image may be stored in an electronic container 302. Such a container 302 permits the owner of the 
signature to specify control information that governs how the signature image may be used." ('683 
27:29-) 

- VDE control information which governs the use, and consequences of use, of VDE controlled 
content." ('193 288:5-12) 

- ('193 128:41-45) 
Extrinsic: 

Govern: To initiate the execution of controls. (ITG, 10/2/96, IT00035894, TD00189F) 

Governance: The act of applying controls. Governance is the fundamental activity of the InterTrust 
Commerce Architecture. (ITG, 1 1/17/96, IT00035867, TD00189J) 

Governed Element: An InterTrust Commerce Architecture object to which governance is applied. 
DigiBox containers, content, control sets, and control records are the primary examples of governed 
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elements. (ITG, 1 1/1 7/96, IT00035867, TDO0 1 89J) 
Defined consistent (IT 35962) 


Halting 
900.155 


Intrinsic: 

- "Dynamic Check of Association Between Appliance and PPE Instance: The executing operational 
materials 3472 may next compare an embedded electronic appliance signature SIG* against the 
electronic appliance signature SIG stored in the electronic appliance itself (FIG. 69K, decision block 
3564). As discussed above, this technique may be used to help prevent operational materials 3472 
from operating on any electronic appliance 600 other than the one it was initially installed on. PPE 650 
may disable operation if this machine signature check fails ("no" exit to decision block 3564, FIG. 
69K; disable block 3566)." ('900 243:30-41) 

"When an inconsistency is detected ("yes" exit to decision block 3590, FIG. 69L), PPE 650 can take 
appropriate action sucn as loocmg lisen up uom iurincr u>c unm r cwuiiau uvicu uixu&i ui& uwku 
server's control (FIG. 69L, disable block 3591)." ('900 247:50-54) 

Extrinsic: 

Halt Indicators: In RPG, an indicator that stops the program when an unacceptable condition occurs. 
Valid halt indicators are H1-H9 (IBM) 

Halt Instruction: 1. A machine instruction that stops execution of a program. 2. Synonym for pause 
instruction. .(EBM) 


host processing 
environment 

900.155 


Intrinsic: 

- (M93 63:13-17); (M93 79:60-67); (M93 81:4-8); ('900 230:57-61); ('900 231:23-31); ('900 
236:505-53) 

- "HPE(s) 655 and SPE(s) 503 are self-contained computing and processing environments that may 
include their own operating system kernel 688 including code and data processing resources." ('193 
79:36-39) 

- "HPEs 655 may be provided in two types: secure and not secure." (• 1 93 80:8-9) 

- ('193 79:31); ('193 80:22-36); ('193 80:40-65, Fig. 10); ('193 88:31-43); C193 104:39-44) 

Extrinsic: 

Host processor : 1. A processor that controls all or part of a user application network. 2. In a network, 
the processing unit in which resides the access method for the network. 4. A processing unit that 
executes the access method for attached communication controllers.(IBM) 

"Host Processing Environment (HPE): A software-only realization of the PPE, protected from 
tampering by appropriate software techniques. No longer preferred because of the potential confusion 
between the "H" in the acronym and "H" as in "Hardware" (which this isn't). [REPLACEMENT 
UNCERTAIN]" (ITG, 3/7/95, IT00709621) 8 

"Secure Processing Environment (SPE): A hardware-supported realization of the PPE, protected from 
tampering by physical security techniques. No longer preferred because of the potential confusion 
between the "S" in the acronym and "S" as in "Software" (which this isn't). [REPLACEMENT 
UNCERTAIN] (ITG, 5/12/95, IT00028302) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. 

The node is also termed the environment. (ITG, 8/21/95, IT00032375, TD00068B) 


identifier, 
identify, 


Intrinsic: 



8 Obsolete Terminology Section: "This section identifies terms that have been used in earlier documents to describe 
various VDE concepts, but that are, for various reasons, no longer preferred." 
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identifying 

193.11, 193.15, 

912.8,91235, 

861.58 


"Portable appliance 2600 RAM 534 may contain, for example, information which can be used to 
uniquely identify each instance of the portable appliance. This information may be employed (e.g. as 
at least a portion of key or password information) in authentication, verification, decryption, and/or 
encryption processes." (' 1 93 23022-27) 

- (*193 25:31-38); ('193 37:27-31); ('193 11 1:47-67) ('193 111:59-67); (M 93 124:8-18); ('193 
131:40-45); ('193 139:41-55); ( 4 193 214:39-41) ('861 12:63-13:4); ( 4 193 67:21-26); (' 193 209:63-67); 
('193 214:39-41) 

Extrinsic: 

Identifier 1. One or more characters used to identify or name a data element and possibly to indicate 
certain properties of that data element 2. In programming languages, a token that names a data object 
such as a variable, an array, a record, a subprogram or a function. (IBM) 

Identifier 1 . In computing, a character or group of characters used to identify, indicate or name a body 
of data. 2. In computing, a name or string of characters employed to identify a variable, procedure, 
data structure or some other element of a program. (Longley) 


including 

193.1 (at 320:63, 
and 321:3); 
193.19 (at 
324:15); 

912.8 (at 327:36, 
39, and 41); 
912.35 (330:35 
and 39); 
861.58 (at 26:53 
and 63); and 
6832 (at 63:60). 


Intrinsic: 

Prosecution History of '900 Patent: 

Changed "including" to "comprising" tl to avoid any possible ambiguity relating to whether the control 
information must be 1 inside* the secure object" 
Amendment to allowed claim 60, 10/29/98. 

"Load modules 1 100 in the preferred embodiment comprise executable code, and may also include 
or reference one or more data structures called "data descriptor" ("DTD") information." (' 193 136:53- 
56) 

"include or reference" ('861 15:21) 
"including or addressing" (claim 58); 
"includes a reference to" (claim 69); 

"Secure database 6 1 0 in the preferred embodiment does not include VDE objects 300, but rather 
references VDE objects stored, for example, on file system 687 and/or in a separate object repository 
728." C 193 126:26-65) 

- (M93 131:18-20) 

Extrinsic: 

"3. To consider with or place into a group, class, or total: thanked the host for including us." (Amer. 
Heritage Dictionary, 4* ed.) 


information 
previously stored 

900.155 


Intrinsic: 
Extrinsic: 

Information: 1. In information processing, knowledge concerning such things as facts, concepts, 
objects, events, ideas, and processes, that within a certain context has a particular meaning. (IBM) 

Information: 1 . Any communication or reception of knowledge such as facts, data, or opinions, 
including numerical, graphic, or narrative forms, whether oral or maintained in any medium, including 
computerized data bases, paper, microform, or magnetic tape. 3. Knowledge 
that was unknown to the receiver prior to its receipt. Information can only be derived from data that is 
accurate, timely * relevant and unexpected.(Longley) 

Store: 1. To place data into a storage device. 2. To retain data in a storage device. 
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integrity 
programming . 

900.155 


Intrinsic: 

- "Upon initialization, the operational materials 3472 validate the embedded signature value against 
the actual electronic appliance 600 signature S1G, and may refuse to start if the comparison fails. 
('900239:21-25)' 

. "an otherwise unused section of the non- volatile CMOS RAM 656a may be used to store a 
signature 3497d. Signature 3497d is verified against the PPE 650's internal state whenever the PPE is 
initialized." ('900 239:51-55) 

- "Dynamic Check of Association Between Appliance and PPE Instance: The executing operational 
materials 3472 may next compare an embedded electronic appliance signature s SIG/against; me 
electronic appliance signature SIG stored in the electronic appliance itself (FIG. 69K, decision block 
3564). As discussed above, this technique may be used to help prevent operational materials 3472 
from operating on any electronic appliance 600 other than the one it was initially installed on. PPE 650 
may disable operation if this machine signature check fails ("no" exit to decision block 3564, FIG. 
69K; disable block 3566)." ('900 243:30-41) 

- ('193 80:45-48) 

Extrinsic: 

Integrity: The protection of systems, programs, and data from inadvertent or malicious destruction or 
alteration.(E3M) 

Integrity- 1 In data security, mat computer security characteristic mat ensures that computer resources 
operate correctly and that the data in the databases are correct. 2a. In data security, the capability of an 
automated system to perform its intended function in a unimpaired manner, free from deliberate or 
inadvertent unauthorized manipulation of the system. 2b. In data security, inherent quality of 
protection that ensures and maintains the security of entities of a computer system under all 
conditions.(Longley) 

Programming: 1. A sequence of instructions suitable for processing by a computer. 2. In programming 
languages, a logical assembly of one or more interrelated modules. 4. A sequence of instructions mat a 
computer can interpret and execute.(IBM) 

Programming: The process by which a computer is made to perform a specialized task. It involves the 
creation of a formalized sequence of instructions which can be recognized and implemented by the 
machine. (Longley) 

Integrity: The ability to verify that data is unmodified from its intended value. (ITG, 5/12/95, 
IT00028294) 

Integrity: In relation to digital content, a state in which that content is unmodified and operations on 

f j i -r» i i , ^.l nnVitctirhisforc T^iaiRov enntiiiTiers ensure intetmtv. 
the content are performed only as specified by the ngntsnoiaers. uigioox conuunei* cu^uc m^uv, 

(ITG, 10/2/96, IT00035895.TD00189F) 

Integrity: definition varies slightly, best seems to be - A state in which content is unmodified and 
operations on properties are performed only as specified by the rights holders (IT 35922). 

Integrity: The assurance that content in a DigiBox container or content being processed by an IT 
content node has not been tampered with. (IT 35868) 


kev 
193.19 


Intrinsic: 
"Key Types 

The detailed descriptions of key types below further explain secret-key embodiments; this summary is 
not intended as a complete description. The preferred embodiment PPE 650 can use different types of 
keys and/or different "shared secrets" for different purposes. Some key types apply to a Public- 
Key/Secret Key implementation, other keys apply to a Secret Key only implementation, and still other 
key types apply to both. The following table lists examples of various key and "shared secret" 
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information used in the preferred embodiment, and where this information is used and stored: 

Used in PK or Example Storage 
Key/Secret Information Type Non-PK Location(s) 
Master Key(s) (may include Both PPE 

some of the specific keys Manufacturing facility 
mentioned below) VDE administrator 
Manufacturing Key Both (PK PPE (PK case) 

optional) Manufacturing facility 

Certification key pair - PK PPE 

Certification repository 

Public /private key pair PK PPE 

Certification repository 
(Public Key only) 

Initial secret key Non-PK PPE 

PPE manufacturing ID Non-PK PPE 

Site ID, shared code, shared Both PPE 

keys and shared secrets 

Download authorization key Both PPE 

VDE administrator 

External communication Both PPE 
keys and other info Secure Database 
Administrative object keys Both Permission record 
Stationary object keys Both Permission record 
Traveling object shared keys Both Permission record 
Secure database keys Both PPE 
Private body keys Both Secure database 

Some objects 

Content keys Both Secure database 

Some objects 

Authorization shared secrets Both Permission record 

Secure Database Back up Both PPE 

keys Secure database" 

('193 211:32 - 212:11) 

. ('193 211:18-212:18); ('193 193:8-23); ('193 207:50-60); ('193 208:38-40) 
Extrinsic: 

Keys: The permissions record also contains the fundamental decryption keys for an object It may 
contain the keys for the object content or keys to decrypt portions of the object that contain other keys 
that then can be used to decrypt the content of the object Usage of the keys is controlled by the 
Control Sets in the same permissions record. There are many more aspects to the keys in the . 

• • «->*»sj ♦v.ot -iro kwvn/t tu A cr/\r%f» rvf *Viie HnrnmMit rVDF ROI DEVICE vl 0a 9 Feb 1994 

permissions recora mai are oeyono me scope oi mis uocunaciiu " S - Ji * rs - v - /A w v 1 ,vu * 4 wu * y y ^> 

IT00008601) 

Key: 7. In computer security, a sequence of symbols used with a cryptographic algorithm for 
encrypting or decrypting data. (IBM) 

Key: 1 . In cryptography, a sequence of symbols that controls the operations of encipherment and 
decipherment. 2. In cryptography, a symbol or sequence of symbols (or electrical or mechanical 
correlates of symbols) that control the operations of encryption and decryption). (Longley) 


load module 
912.8, 721.1 


Intrinsic: 

Prosecution History of Application 08/388,107 ('912 Patent is continuation) 

"Furthermore, applicants* independent claims 16, 36, 37 and 64 require secure delivery and use of 
plural executable items. See claim 16 ("securely delivering a first procedure ... securely delivering ... 
a second procedure separable or separate from said first procedure..."); claim 36 ("securely delivering 
plural executable procedures ..."), claim 37 ("securely delivering a first piece of executable code ... 
securely delivering a second piece of executable code ...") and claim 64 ("securely receiving a first 
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load module ... securely receiving a second load module ..."). These features are not taught or 
suggested by either Rosen or Johnson. Johnson's databases comprise data, not executable code." 

08/388, 1 07, Amendment, 06/20/97, p. 24-25 (MSI028 848-49) 

"Load module 1 100 contains code and static data (that is functionally the equivalent of code), and 
is used to perform the basic operations of VDE 100. Load modules 1100 will generally be shared by 
all the control structures for all objects in the system, though proprietary load modules are also 
permitted/Load modules 1 100 may be passed between VDE participants in administrative object 
structures 870, and are usually stored in secure database 610. They are always encrypted and 
authenticated in both of these cases. When a method core 1000 1 references a load module 1 100, a load 
module is loaded into the SPE 503, decrypted, and then either passed to the electronic appliance 
microprocessor for executing in an HPE 655 (if that is where it executes), or kept in the SPE (if that is 
where it executes)." ( 4 1 93 139: 1 9-32) 

- C193 20:27-30); ('193 71:19-40); ('193 77:12-29) ('193 86:49-60); ('193 87:41-62); ('193 109:24- 
45); ('193 111:20-28); ( 4 1 93 11 1:29-39); (' 193 111:40-47); ('193 111:59-67); (' 193 126:30); (193 
139:28-31); ('193 139:60-140:6); ('193 140:1-6); ('193 140:44-50); ('193 141:42-55); ('193 209:52- 
210:35); ('193 17:15-17); ('193 20:27-30); ('193 86:39-48); ('193 139:41-51); ('193 151:20-22); ('721 
3:21-35) 

Extrinsic: 

Load module: 1 . All or part of a computer program or subprogram in a form suitable for loading into 
main storage for execution by a computer, usually the output of a linkage editor.(IBM) 

Load Module: A procedure, dynamically loaded or resident within the PPE, that performs or controls 
operations within the PPE. Some load modules are associated with individual objects or types of 
objects; others perform general utility operations. (ITG, 3/7/95, IT0070961 8 see footnote 2) 

"Load Module: shall mean an executable program that, when combined with control data and/or 
parameters, forms procedures or programs for performing specific types of control functions in 
compliance with EPR Specifications. Load Modules and their executable programs and associated 
control data and/or parameters are designed to, at least in part, be employed as one or more control 
elements which are used within a protected information transaction/distribution management 
arrangement." (License Agreement between National Semiconductor and EPR, 3/1 8/94, Exhibit 12 to 
InterTrust 30(bX6)) 

"Load Module: The lowest level of a VDE control structure: an executable program that operates, 
under control of a method or another load module, to manipulate VDE-protected elements (which may 
be in containers otherwise)." (IT VDE Container Overview, 2/10/95, IT00051228, ETM-9999 Version 
021) 

"A load module is an executable program that manipulates VDE elements and content to perform a 
specific control function. A load module invoked as an external method is responsible for ensuring that 
all its related load modules, methods, elements, etc. are available and that all required option choices 
have been made." (IT VDE Container Overview, 2/10/95, IT00051234, ETM-9999 Version 0.21) 


Machine check 
programming 

900.155 


Intrinsic: 

- "machine check" does not appear in specification 

- "Correspondence Between Installed Software and Appliance "Signature". Another technique that 
may be used during the installation routine 3470 is to customize the operational materials 3472 by 
embedding a "machine signature" into the operational materials to establish a correspondence between 
the installed software on a particular electronic appliance 600 (FIG. 69C, block 3470(7)). ('900 239:4- 
14) 

- For electronic appliances 600 where it is feasible to do so, the installation procedure 3470 may 
determine unique information about the electronic appliance 600 (e.g., a "signature" S1G in the sense of 
a unique value — not necessarily a "digital signature" in the cryptographic sense)." ('900 239: 15-19) 
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- "FIG. 69G shows an example of some of these appliance-specific signatures." ('900 239:41-42) 

- "Dynamic Check of Association Between Appliance and PPE Instance: The executing operational 
materials 3472 may next compare an embedded electronic appliance signature SIG' against the 
electronic appliance signature SIG stored in the electronic appliance itself (FIG. 69K, decision block 
3564). As discussed above, this technique may be used to help prevent operational materials 3472 from 
operating on any electronic appliance 600 other than the one it was initially installed on. PPE 650 may 
disable operation if this machine signature check fails ("no" exit to decision block 3564, FIG. 69K; 
disable block 3566)." ('193 243:30-) 

- "Signature 3497d may also be updated whenever a significant change is made to the secure database 
6 10. If the CMOS RAM signature 3497d does not match the database value, PPE 650 may take this 
mismatch as an indication that a previous instance of the secure database 610 and/or PPE 650 software 
has been restored, and appropriate action can be taken. ('900 239:55-240:6) 

- C900 240:15-26); (900 Claim 183) 
Extrinsic: 

Machine check: An error condition that is caused by an equipment malfunction. (IBM) 


Metadata 
information 

861.58 


Intrinsic: 

- "This metadata can define certain characteristics associated with the object name. For example, such 
metadata may impose integrity or other constraints during the creation and/or usage process (e.g., 
"when you create an object, you must provide this information", or "when you display the object, you 
must display this information"). The metadata 264 may also further describe or otherwise qualify the 
associated object name." ('861 15:21-31) 

-(861 Abstract); ('861 6:2-7); ('861 8:57-64); ('861 13:30-34); ('861 14:7-11); ('861 16:37-52) 
Extrinsic: 

Metadata: In databases, data that describe data objects. (IBM) 

Information: 1. In information processing, knowledge concerning such things as facts, concepts, 
objects, events, ideas, and processes, that within a certain context has a particular meaning.(IBM) 

Metadata: 1. In computing, data referring to other data (such as data structures, indices, and pointers) 
that are used to instantiate an abstraction (such as 'process/ 'task,' 'segment,* 'file,' or *pip e ') 2. In 
computing, a special database, also referred to as a data dictionary, containing descriptions of the 
elements. (Longley) 


opening secure 
containers 

683.2 


Intrinsic: * 

- "Because container 1 52 can only be opened within a secure protected processing environment 154 
that is part of the virtual distribution environment described in the above-referenced Ginter et al. patent 
disclosure" ('712 168:22-25) 

- Special mathematical techniques known as "cryptography" can be used to make ^electronic container 
302 secure so that only intended recipient 4056 can open the container and access the electronic 
document (or other item) 4054 it contains. ('683 15:67-1 6:4) 

- The appliance 600 may then open the secure electronic container ("attache' case") 302 and deliver 
the item it contains to recipient 4056 (FIG. 9 IB, block 4092D). ('683 ) 

- Appliance 600 may then generate a "send" or "open" event to PPE 650 requesting the PPE to open 
container 302 and allow the user to access its contents. 

- ('193 185:7-30); ('193 185:42-46); ('683 19:27-32); ('193 183:28-29); ('193 183:55-57); ('193 
185:11-16) 

Extrinsic: 

Open: 1 . The function that connects a file to a program for processing. 4. To prepare a file for 
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processing. (IBM) 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Container In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Container contains protected content which is divided into one or more atomic elements, and 
optionally, PERCs governing the content and may be manipulated only as specified by a PERC. (ITG, 
3/7/1995, IT00709616) 

Container A protected (encrypted) storage object that incorporates descriptive information, protected 
content, and (optionally) control objects applicable to that content (ITG, 3/7/1995, IT00709617, see 
footnote 3) 

Container. A protected digital information storage and transport mechanism for packaging content and 
control information. (ITG, 8/21/95, IT00032372, TD00068B] 


operating 
environment 

891.1 


Intrinsic: 
Extrinsic: 

Operating Environment: The physical environment; for example, temperature, humidity, and 
layout.(IBM) 

Operating system: In computing, a collection of software programs intended to directly control the 
hardware of a computer and on which all the other programs running on the computer generally 
depend.(Longley) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 

Operation: A manipulation of some protected resource (e.g., content in a container or control records 
in a PERC) (IT VDE Container Overview, 2/10/95, IT00051228, ETM-9999 Version 0.21) 


organization, 
organization 
information, 
organize 

861.58 


Intrinsic: 

- M a descriptive data structure could serve as 'instructions* that drive an automated packaging 
application for digital content and/or an automated reader of digital content such as display priorities 
and organization (e.g., order and/or layout). "('86 1 7:54-57); 

- For example, the descriptive data structure may provide a recursive, hierarchical list that reflects 
and/or defines a corresponding recursive, hierarchical structure within the rights management data 
structure ('861 5:57-63 )".... descriptive data structure may directly and/or indirectly specify where, in 
an associated rights management data structure, corresponding defined data types may be found." '('861 
5:67-6:2 ); 

- Issued claim 1 : a first memory storing a descriptive data structure, said descriptive data structure 
including: information regarding a first organization of elements within a secure container, said 
information including: information on the organization of said elements within said secure container; 
and information on the location of at least some of said elements within said secure container" 

- Issued claim 34: "a representation of the format of data contained in a first rights management data 
structure said representation including: element information contained within said first rights 
management data structure; and organization information regarding the organization of said elements 
within said first rights management data structure; and information relating to metadata, said metadata 
including" 

- Issued claim 45 (dependent from 34-44): "said information regarding elements contained within 
said first rights management data structure includes information relating to the location of at least one 
such element." 

- Issued claim 73: "said descriptive data structure organization information includes information 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 23 of 100 



r 



Claim Term 


MS Construction 




specifying that said first secure container contents will include at least a title and a text section referred 
to by said title." . . . 

- Issued claim 74: "said descriptive data structure organization information includes information 
specifying that said first secure container contents will include at least one advertisement" 

- Issued claim 75: "said descriptive data structure further includes information relating to the location 
at which said title, said text section and said advertisement should be stored in said first secure 

container." . . . . . 

- Issued claim 76: "at least a portion of said descriptive data structure organization information 
includes information specifying fields relating to at least one atomic transaction" 

CI 93 103:23-46) 
Extrinsic: 


portion 

193.1,193.11, 
193.15, 193.19, 
912.8,912.35, 
861.58 


Intrinsic: 
Extrinsic: 

Portion: "1 . A section or quantity within a larger thing; a part of a whole. 2. A part separated from a 
whole " (American Heritage Dictionary 4 th Ed.) 


prevents 
721.34 


Intrinsic: 

- "VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in 
authorized ways, and (c) allow information regarding content usage to be used only in ways approved 
by content users." 0 193 4:5 1-56) 

"VDE ensures that certain prerequisites necessary for a given transaction to occur are met." ( 4 1 93 
20:27-28) 

. "For example, shrink-wrapping does not prevent the constant illegal pirating of software once 
removed from either its physical or electronic package." ('193 5:60-62) 

"VDE, for example, provides the ability to prevent, or impede, interference with and/or observation of, 
important rights related transactions and processes. VDE, in its preferred embodiment" (' 193 4: 1-4) 

"After receiving enabling distribution control information from creator A, distributor A may 
manipulate an application program to specify some or all of the particulars of usage control information 
for users and/or user/distributors enabled by distributor A (as allowed, or not prevented, by senior 
control information)." CI 93 303:63) 

- ('193 6:33-35); (' 193 15:41-46); (' 193 17:22-28); (' 193 309:10-16); (*1 93 303:63-304:1) 
Extrinsic: 


processing 
environment 
912:35, 900:155, 
721:34, 683.2 


Intrinsic: 

- "Another approach to supporting COTS software would use the VDE software running on the 
user's electronic appliance to create one or more "virtual machine" environments in which COTS 
operating system and application programs may run, but from which no information may be 
permanently stored or otherwise transmitted except under control of VDE." ('193 279:26-40) 

- "VDE may be combined with, or integrated into, many separate computers and/or other electronic 
appliances. These appliances typically include a secure subsystem that can enable control of content use 
such as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
distributing, auditing usage, etc. The secure subsystem in the preferred embodiment comprises one or 
more "protected processing environments", ..." CI 93 9:22) 

- 093 9:22-29); ('683 24:26-33); ('193 60:51-64) 
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Extrinsic: 

Processing- 1. The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on .(IBM) 
Process- (1) in computing, the active system entity through which programs run. The entity in a 
computer system to which authorizations are granted; thus the unit of accountability in a computer 
system. 2. to computing, a program in execution. ... (4) In computing, a program is a static piece 
of code and a process is the execution of that code. (Longley) 

Environment: 1. The aggregate of external circumstances, conditions, and objects that affect the 
development, operation, and maintenance of a system. 2. to computer security, those factors both 
internal and external, of an ADP system that help to define the risks associated with its operation 
(Longley) 

Secure Processing Environment (SPE): A hardware-supported realization of the PPE, protected from 
tampering by physical security techniques. No longer preferred because of &e potential confusion 
Seen me "S" in the acronym and "S" as in "Software" (which this isn't). [REPLACEMENT 
UNCERTAIN] (ITG, 5/12/95, IT00028302) 

Environment See InterTrust node: A computer that is enabled for processing of DigiBox containers 
bv installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 



protected 
processing 
environment 
721:34, 683.2 



See also "secure 
Intrinsic: 

Prosecution History of Application 08/778,256 (continuation of '891 Patent, issued at USP 5,949,876) 
"Independent claims 65 and 76 each recite a -protected processing environment" Griffeth 
et al. [U.S. Pat No. 5,505,837], Yamamoto [U.S. Pat. No. 5,508,913] and Wyman [U.S. Pat. No. 
5.260,999] do not disclose these aspects of these claims. 

The system disclosed in Griffeth et al is designed to allow negotiation to proceed in an 
environment in which a negotiating party does not disclose information about its negotiation goals to 
the other negotiating party. ... Griffeth et al. does not disclose any privacy protection mechanism and 
neither teaches nor suggests any secure processing environment or that any operations (e.g., integration 
or execution) occur securely. Indeed, Griffeth contains no suggestion that any protection mechanism is 
needed to maintain negotiation goals in privacy, since Griffeth does not suggest that the other party 
mav trv to improperly discover information which is intended to remain private. 

Yamamoto states the following: "Here, the data is enciphered by the data encipher apparatuses 
26 so as to maintain confidentiality." Col. 3, lines 46-47. Since Yamamoto makes no other reference 
to the encipherment, or to the apparatuses 26, it is impossible to determine how die data encipherment 
is used, or the roles it plays in the disclosed apparatus. From an examination of Fig. 3, however, it 
appears that the data encipher apparatuses 26 are placed on connections between a particular site and 
other physically separated sites. For example, customer office 23b is connected to sub-center 22 by a 
line which apparently represents a communication path. That line connects directly to a data encipher 
apparatus 26 in customer office 23b, and to another data encipher apparatus 26 m sub-center 22. 

Thus it appears that the data encipher apparatuses 26 are used, in some undisclosed manner, to 
encipher at least some data which travels among physically separated locations. It is possible to 
imagine, for example, that data is enciphered prior to being sent out on an insecure public transmission 
line, and is then deciphered once received in a new location. 

Yamamoto does not disclose, however, that the processing environments are themselves 
secure or that either execution or integration occur in a secure manner or in a secure environment. 
Indeed, Yamamoto contains no suggestion that security within a processing environment would even be 
desirable By suggesting that data is deciphered once it enters an office (e.g., office 23b), in tact, 
Yamamoto teaches away from a secure environment, since it would appear that the data is used in the 
clear" within the office, with no suggested protection beyond a simple password for the computer. 
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Wyman is equally deficient regarding these elements. Although Wyman specifies that a license may 
contain a digital signature, therefore rendering the license unforgeable (Col 14, lines 24-54), Wyman 
neither teaches nor suggests that the processing environment is itself secure or that any operations occur 
in a secure manner. The Wyman digital signatures no more suggest a secure processing environment 
than the requirement that paper contracts be signed in ink suggests that the contracts will be created, 
read or negotiated in a secure location." 

08/778,256 ('876), Amendment, 01/20/98, p. 58-60 

- "The role of go-between 4700 may, in some circumstances, be played by one of the participant's 
SPU's 500 (PPEs), since SPU (PPE) behavior is not under the user's control, but rather can be under the 
control of rules and controls provided by one or more other parties other than the user (although in 
many instances the user can contribute his or her own controls to operate in combination with controls 
contributed by other parties)." ('683 24:26) 

- "SPU 500 provides a tamper-resistant protected processing environment ("PPE") in which processes 
and transactions can take place securely and in a trusted fashion " ('683 1 6:60-62) 

- "The computer 3372 may then execute the operational materials 3472 from its hard disk 3376 to 
provide software-based protected processing environment 650 and associated software-based tamper 
resistant barrier 672) ('900 231:27-31)); 

- 0193 20:58-63); ('193 21:11-17); ('721 7:19-23); ('721 16:64-17:5); 

- "HPE(s) 655 and SPE(s) 503 are self-contained computing and processing environments that may 
include their own operating system kernel 688 including code and data processing resources." ('193 
79:36-39) 

- (see Figs. 10 and 13), ('193 79:24), (105:23, 105:43, 109:46); ('193 13:7-23); ('193 223:30-44) 

- "In one example, a person with a laptop 5102 or other computer lacking a PPE 650 wishes 
nonetheless to take advantage of a subset of secure item delivery services." ('683 62:17-20) 

"Claims 7-11, ... 99-1 1 1 ... are rejected under 35 U.S.C. 103(a) as being unpatentable over Fischer 
(5,412,717) in view of Narasimhalu et al (5,499,298). Fischer discloses a method and apparatus 
including a system monitor which limits the ability of a program about to be executed to the use of 
predefined resources, .... The set of authorities and restrictions are referred to as "program 
authorization information" or "PAI". ... A comparison of independent claim 7 to Fischer to derive the 
similarities and differences between the claimed invention and the prior art follows. ... memory 

containing a first rule corresponds to a first PAI under a first PCB Here, Fischer provides a secure 

container in the form of a program, i.e. a governed item, having an associated PAI, i.e. at least one rule 
associated with the secure container. A protected processing environment ("PPE") protecting at least 
some information contained in the PPE, see Fischer Terminal A, and including hardware and/or 
software used for applying said first rule and the secure container in combination to at least in part 
govern at least one aspect of access to or use of the governed item, see Fischer at Figure 5 and column 
10, lines 8-39 where the first rule in memory is first PCB providing a first PAI and the secure container 
is a program associated with a second PCB providing a first PAI and the secure container is a program 
associated with a second PCB having a second PAI associated with the governed item, i.e. the program. 
... The difference between claim 7 and Fischer is that the PPE disclosed in Fischer is not explicitly 
disclosed as protected from tampering by a user of the first apparatus, i.e. terminal A. The Narasimhalu 
patent (hereinafter '298) teaches a method and apparatus for controlling the dissimenation of digital 
information, [and] that the end user accesses the digital information with a tamper-proof controlled 
information access device." 

09/221,479 ('683), Office Action, 1 1/12/99, p. 3-5 (IT00065799-801) 

"With respect to the remaining issues, Applicants respectfully disagree. For example, the Examiner 
objects to the use of "environment" as indefinite and unclear. This word, however, is not used in 
isolation, but rather in the context of several longer phrases, all of which are defined in the 
specification. The phrase "protected processing environment," for example, is used in Claims 1 1 and 
15-18 and described on at least, for example, pages 7-8 and 25 of the specification. The term "virtual 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 26 of 100 




Claim Term 


MS Construction 




distribution environment 1 ' used in Claim 1 1 is described, for example, on page 7 of the specification. 
The terms are also described in the commonly copending application Serial Number 08/388,107 of 
Ginter et al., filed 13 February 1995, entitled "System and Methods for Secure Transaction 
Management and Electronic Rights Protection." A copy of the incorporated Ginter application can be 
provided to the Examiner upon request" 

(pages 7, 7-8 and 25 of the original specification are '721 2:62-3:13, 2:62-3:34 and 8:6-28 of the issued 
patent) 

"The role of go-between 4700 may, in some circumstances, be played by one of the participant's SPU's 
500 (PPEs), since SPU (PPE) behavior is not under the user's control, but rather can be under the 
control of rules and controls provided by one or more other parties other than the user (although in 
many instances the user can contribute his or her own controls to operate in combination with controls 
contributed by other parties) " ( l 683 24:26) 

08/689,754 (721), Amendment, 04/14/99, p. 13 

Extrinsic: 

Processing: 1 . The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on.(IBM) 

Environment: 1. The aggregate of external circumstances, conditions, and objects that affect the 
development, operation, and maintenance of a system. 2. In computer security, those factors, both 
internal and external, of an ADP system that help to define the risks associated with its operation 
(Longley) 

IT used "ton" symbol with "Protected Processing Environment" (Panel Abstract The InterTrust 
Commerce Architecture, presented at 20 th NISSC, 1 997) 

Environment See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 

Protected Processing Environment (PPE) technology: The InterTrust technology that provides the 
protected software environment within the InterRights Point Protected Processing Environment 
technology is responsible for the encryption/decryption of data, protected processing of DigiBox 
containers, and other secure operations, such as protected database access. (ITG, 1997-1998, 
ML00012B) 

Protected Processing Environment (PPE): The PPE is the secure part of a VDE node: either a 
hardware or software-protected environment in which VDE mechanisms run without external 
interference. There are various PPE realizations (e.g., physically protected hardware) appropriate to 
different operational requirements (ITG, 3/7/1995, IT00709619, see footnote 2) 

Secure Processing Unit: The physically secure hardware component of the SPE: a processor with local 
memory and non-volatile storage. The SPE consists of the SPU itself and the SPE software running on 
the SPU. (ITG, 3/7/1995, IT00709620, see footnote 2) 

"Protected Processing Environment (PPE): An InterTrust node has a unique node ID and contains a 
Protected Processing Environment (PPE) which performs operations on containers and control 
structures under rules specified by PERCs and which may be realized in a tamper resistant hardware 
component or in tamper-resistant software and a protected database, which stores control objects and 
InterTrust applications, operating outside the PPE, which manipulate content and control objects 
through requests to the PPE" (ITG, 4/06/95, IT00028206) 

"All the terms in italics have specific definitions (in the glossary) with respect to InterTrust." 
950406: Global replace of " VDE " with "InterTrust " to match new terminology. (ITG, 4/06/95, 
IT00028206) 

Protected Environment: A portion of the node software that uses, and protects, the protected node data 
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such as cryptographic keys. The protected environment is responsible for performing all the protected 
functions for manipulating containers and content; that is, all the operations governed by controls. 
(ITG, 5/12/95, IT00028294) 

Protected Processing Environment: (alternate definition): The protected environment in which the 
cryptographic and control functions of InterTrust run. The PPE may be protected environmentally 
(e.g., as a physically protected server machine) or may employ software-based tamper resistance 
techniques. (ITG, 8/21/95, IT00032377, TD00068B) 

Secure Processing Environment (SPE): A hardware-supported realization of the PPE, protected from 
tampering by physical security techniques. No longer preferred because of the potential confusion 
between the "S" in the acronym and "S" as in "Software" (which this isn't). [REPLACEMENT 
UNCERTAIN] (ITG, 5/12/95, IT00028302) 

Protected Processing Environment (PPE): The InterTrust protected software environment within the 
InterTrust Commerce Node. The PPE is responsible for the encryption/decryption of data, protected 
processing of DigiBox containers, and other secure operations, such as database access. (ITG, 1 1/17/96, 
IT00035871,TD00189J) 


protecting 
683.2 


Intrinsic: 

- VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in authorized 
ways, and (c) allow information regarding content usage to be used only in ways approved by content 
users." 0193 4:51-56) 

- "An attacker would gain little benefit from intercepting this information since it is transmitted in 
protected form; she would have to compromise electronic appliance 600(1 ) or 600(N) (or the SPU 
500(1), 500(N)) in order to access this information in unprotected form." (' 193 228:25) 

- Even if the object is stored locally to the VDE node, it may be stored as a secure or protected object 
so that it is not directly accessible to a calling process. (* 1 93 1 92: 1 4- 1 7) 

- 0193 228:25-30); 0193 6:33-35); 0193 15:41-46); 0193 17:22-28) 
Extrinsic: 

Hoffman, Modem Methods for Computer Security & Privacy at 134 

Dictionary of Computing, 3rd Ed. (1990) ("Protected Location: A memory location that can only be 
accessed by an authorized user or process."; "Protected domain: A set of access privileges to protected 
resources.") 

Webster's New World Dictionary of Computer Terms, 4th Ed. (1992) ("To prevent unauthorized 
access to programs or a computer system; to shield against harm.") 

The New IEEE Standard Dictionary of Electrical and Electronics Terms, 5th Ed. (1993) ("Protection: 
(1) (computing systems). See: Storage protection (2) (software). An arrangement for restricting 
access to or use of a all, or part, of a computer system." ; "Storage protection: An arrangement for 
preventing access to storage for either reading or writing, or both.") 

IN00862862 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 
Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, IT00028294) 


record (n.) 
912.8,912.35 


Intrinsic: 

"The selected method event record 1012, in turn, specifies the appropriate information (e.g., load 
module(s) 1 100, data element UDE(s) and MDE(s) 1200, 1202, and/or PERC(s) 808) used to construct 
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a component assembly 690 for execution in response to the event that has occurred ..."('193 138:12- 
47) 

Extrinsic: 

Record: 1 . In programming languages, an aggregate that consists of data objects, possibly with different 
attributes, that usually have identifiers attached to them. In some programming languages, records are 
call structures. 2. A set of data treated as a unit 3. A set of one or more related data items grouped for 
processing. (IBM) 

Record: 1 . In computing, a collection of related data treated as a unit, e.g. details of name, address, age, 
occupation and department of an employee in a personnel file. 2.. In computing, to store signals on a 
recording medium for later use. (Longley) 

New IEEE Standard Dictionary of Electrical and Electronics Terms (5 th ed. 1993) 


required 
912.8, 861.58 


Intrinsic: 
See "allow." 
Extrinsic: 


resource 
processed 

891.1 


Intrinsic: 

- C193 72:39-44); ('193 75:15-30); (* 193 283:23-28) 

"Smart objects may have the means to request use of one or more services and/or resources. Services 
include locating other services and/or resources such as information resources, language or format 
translation, processing, credit (or additional credit) authorization, etc. Resources include reference 
databases, networks, high powered or specialized computing resources (the smart object may carry 
information to another computer to be efficiently processed and then return the information to the 
sending VDE installation), remote object repositories, etc. Smart objects can make efficient use of 
remote resources (e.g. centralized databases, super computers, etc.) while providing a secure means for 
charging users based on information and/or resources actually used." ('193 38:60-39:8) 

Extrinsic: 

Resource: 1 . Any of the data processing system elements needed to perform required operations, 
including storage, input/output units, one or more processing units, data, files, and programs. 2. Any 
facility of a computing system or operating system required by a job or task, and including main 
storage, input/output devices, processing unit, data sets, and control or processing programs. (IBM) 

Processed: 1 . The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on. (IBM) 

Process: (1 ) in computing, the active system entity through which programs run. The entity in a 
computer system to which authorizations are granted; thus the unit of accountability in a computer 
system. 2. In computing, a program in execution. (4) In 
computing, a program is a static piece of code and a process is the execution of that code. (Longley) 


rule 

861.58, 683.2 


Intrinsic: 

"A system as in claim 17, said memory further storing at least one rule associated with said first 
secure container, said first secure container rule at least in part governing at least one aspect of access 
to or use of said governed item. 

A system as in claim 19, said at least first secure container rule further including a second rule at least 
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in part restricting the number of accesses and/or uses a user may make of said governed item. 
09/221,4790683), Preliminary Amendment, 12/28/99, p. 5 (IT00065690) 

"Claims 7-11, ... are rejected under 35 U.S.C. 103(a) as being unpatentable over Fischer (5,412,717) in 
view of Narasirahalu et al (5,499,298). Fischer discloses a method and apparatus including a system 
monitor which limits the ability of a program about to be executed to the use of predefined resources, 
.... The set of authorities and restrictions are referred to as "program authorization information" or 
"PAT. ... A comparison of independent claim 7 to Fischer to derive the similarities and differences 
between the claimed invention and the prior art follows. . . . memory containing a first rule corresponds 
to a first PAI under a first PCB Here, Fischer provides a secure container in the form of a 
program, i.e. a governed item, having an associated PAI, i.e. at least one rule associated with the secure 
container." 

09/221,479 ('683), Office Action, 1 1/12/99, p. 3-4 (IT00065799-800) 

- In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct 
or indirect agents for parties who have rights in electronic information, to ensure that the moving, 
accessing, modifying, or otherwise using of information can be securely controlled by rules regarding 
how, when, where, and by whom such activities can be performed.. ('193 6:24-30) 

- "at least one rule and/or control associated with the software agent that governs the agent's 
operation." 0193 241:2-3) 

- "FIG. 4 illustrates examples of some different types of rules and/or control information" ('683 
11:37-38) 

. "if necessary, trusted go-between 4700 may obtain and register any methods, rules and/or controls 
it needs to use or manipulate the object 300 and/or its contents (FIG. 122 block 4778)." ('683 47:40- 
45) 

"In this further user interaction provided by object submittal manager 774, the user may specify 
permissions, rules and/or control information to be applied to or associated with the new object 300." 
0193 106:60) 

"at least one rule and/or control associated with the software agent that governs the agent's 
operation." ('193 241:2) 

- "The usage-related "rules and controls" may, for example, specify what a user can and can't do 
with the content and how much it costs to use the content" 0 193 55:46-49) 

"Container 300x is specified as a content object that is empty of content It contains a control set 
that contains the following rules: 

1 . A write without ^billing event that specifies a meter and a general budget that limits the 
value of writing to $ 1 5 .00. 

2. Audits of usage are required and will be stored in object 300w under control information 
specified in that object. 

3. An empty use control set that may be filled in by the owner of the information using 
predefined methods (method options)." 0 193 243:35-37) 

- "an object creator or other provider can specify within a descriptive data structure 200, certain rules, 
integrity constraints and/or other characteristics that can or should be applied to the object after it has 
been imported into a target rights management environment." ('861 17:49-53) 

- 0683 54:29-37); ('193 56:28-35); ('193 53:60-63); ('683 47:40-45) 
Extrinsic: 

Rule: In computing, a statement in an expert system that enables the likelihood of an assertion, or the 
value of an object, to be established. A rule combines lower level assertions or objects to produce a 
value for a higher level assertion or object. (Longley) 

See Business Rule: A specification of the conditions governing how content and controls in DigiBox 
containers may be manipulated. A business rule may specify pricing, terms of use terms, operational 
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restrictions, payment methods, and other aspects of information use. A rule may also specify 
consequences related to usage reporting and payment, for example, specifying that each purchase of 
content must be reported to its creator. (ITG, 1 1/1 7/96, IT00035863, TD00189J) 

"Rules and Controls" means any electronic information that directs, enables, specifies, describes, and/or 
provides contributing means for performing or not-performing, permitted and/or required operations 
related to Content, including, for example, restricting or otherwise governing the performance of 
operations, such as, for example, Management of such Content. (License Agreement: IT and Universal 
Music Group, 4/13/99, Exhibit 1 1 to InterTrust 30(b)(6)) 

Que at 348; Webster's New World Dictionary of Computer Terms (4th ed.) at 365 


secure 

193.1, 193.11, 
193.15, 912.35, 
861.58, 891.1, 

683.2, 721.34 


Intrinsic: 

Because this term is indefinite and used inconsistently, each use of "secure" and forms thereof in the 
asserted patents is relevant and herein included by reference. The following examples are illustrative. 

"HPEs 655 may be provided in two types: secure and not secure." (* 193 80:8-9) 

"Because secondary storage 652 is not secure, SPE 503 must encrypt and cryptographically seal 
(e.g., using a one-way hash function initialized with a secret value known only inside the SPU 500) 
each swap block before it writes it to secondary storage." ('193 107:39-42) 

"Insecure external memory may reduce the wait time for swapped pages to be loaded into SPU 
500, but will still incur substantial encryption/decryption penalty for each page." ('193 125:56-59) 

- "The following is a non-exhaustive list of some of the advantageous features provided by ROS 602 
in the preferred embodiment: 

Secure 

secure communications 

secure control functions 

secure virtual memory management 

information control structures protected from exposure 

data elements are validated, correlated and access controlled 

components are encrypted and validated independently 

components are tightly correlated to prevent unauthorized use of elements 

control structures and secured executables are validated prior to use to protect against tampering 

integrates security considerations at the I/O level 

provides on-the-fly decryption of information at release time 

enables a secure commercial transaction network 

flexible key management features" ('193 72:52, 73: 19) 

- "ROS 602 generates component assemblies 690 in a secure matter. As shown graphically, in FIGS. 

1 1 1 and 1 1 J, the different elements comprising a component assembly 690 may be "interlocking" in the 
sense that they can only go together in ways that are intended by the VDE participants who created the 
elements and/or specified the component assemblies. ROS 602 includes security protections that can 
prevent an unauthorized person from modifying elements, and also prevent an unauthorized person 
from substituting elements." (82:60) 

- - "Because of VDE security, including use of effective encryption, authentication , digital signature, 
and secure database structures, the records contain within a VDE card arrangement may be accepted as 
valid transaction records for government and/or corporate recordkeeping requirements." (19:49) 

- "In order to maintain security, SPE 503 must encrypt and cryptographically seal each block being 
swapped out to a storage device external to a supporting SPU 500, and must similarly decrypt, verify 
the cryptographic seal for, and validate each block as it swapped into SPU 500." (123:60) 

- "As mentioned above, memory external to SPU 500 may not be secure. Therefore, when security is 
required, SPU 500 must encrypt secure information before writing it to external memory before using 
it." (69:29) 

- "Only those processes that execute completely within SPEs 503 (and in some cases, HPEs 655) may 
be considered to be truly secure. Memory and other resources external to SPE 503 and HPEs 655 used 
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to store and/or process code and/or data to be used in secure processes should only receive and handle 
that information in encrypted form unless SPE 503/HPE 655 can protect secure process code and/or 
data form non-secure processes " (79: 11) 

- "From time to time, two parties (e.g., PPEs A and B), will need to establish a communication channel 
that is know by both parties to be secure form eavesdropping, secure from tampering, and to be in use 
solely by the two parties whose identifies are correctly known to each other." (215:35) 

- "Since all secure communications are at least in part encrypted and the processing inside the secure 
subsystem is concealed form outside observation and interference, the present invention ensures that 
content control information can be enforced.* 1 ('193 46:4-8) 

•193 199:38-47,221:1-21 

See also prior art referenced in the relevant file histories, e.g. Stefik; Tygar et al., "Dyad: A System for 
Using Physically Secure Coprocessors," School of Computer Science, Carnegie Mellon University, 
Pittsburgh, PA 15213 (May 1991). 

Extrinsic: 

lt No data system can be made secure without physical protection of some part of the equipment" 
(Davies, p. 3) 9 

"Security is a negative attribute. We judge a system to be secure if we have not been able to design a 
method of misusing it which gives some advantage to the attacker." (Davies, p.4) 

"Various criteria exist for secure systems - U.S. Dept. of Defense Trusted Computer Security 
Evaluation Criteria (TCSEC), the Orange Book, Red Book, European and Canadian guidelines, U.S. 
National Institute of Standards and Technology, and United Kingdom guidelines." (Neumann) 10 

"Security: 1 . Protection against unwanted behavior. In present usage, computer security includes 
properties such as confidentiality, integrity, availability, prevention of denial of service and prevention 
of generalized misuse. 2. The property that a particular security policy is enforced, with some degree 
of assurance. 3. Security is sometimes used in the restricted sense of confidentiality, particularly in the 
case of multilevel security. Multilevel Security - A confidentiality policy based on the relative ordering 
of multilevel security labels (really multilevel confidentiality, ex. - no adverse flow of information with 
respect to sensitivity of information)" (Neumann, Glossary) 

"There are two principal objectives: secrecy (or privacy), to prevent unauthorized disclosure of data; 
and authenticity or integrity) [sic], to prevent the unauthorized modification of data. ... Note, however, 
that whereas it can be used to detect message modification, it cannot prevent it. Encryption alone does 
not protect against replay, because an opponent could simply replay previous ciphertext." (Denning, 
P.5) 

"A cipher in unconditionally secure if, no matter how much ciphertext is intercepted, there is not 
enough information in the ciphertext to determine the plaintext uniquely." (Denning, p.5) (Davies, p. 
41,380) 

"A cipher is computationally secure, or strong, if it cannot be broken by systematic analysis with 
available resources." (Denning, p.5) (Davies, p.41, 370) 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 

Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, IT00028294) 

" . . security includes concealment, integrity of messages, authentication of one communicating parry 
by the other. . (Neumann, p. 8) 



9 "Davies" herein refers to Davies, D., et al, Security for Computer Networks, 1984. 

10 "Neumann" herein refers to Neumann, P.G., Computer Related Risks, 1995 
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"Computer security rests on confidentiality, integrity, and availability. The interpretations of these three 
aspects vary, as do the contexts in which they arise. 

Confidentiality is the concealment of information or resources. Q Confidentiality also applies to the 

existence of data, which is sometimes more revealing than the data itself. 

[] All mechanisms that enforce confidentiality require supporting services from the system. The 

assumption is that the security services can rely on the kernel, and other agents, to supply correct data. 

Thus, assumptions and trust underlie the confidentiality mechanisms. 

Integrity refers to the trustworthyness of data or resources, and it is usually phrased in terms of 

preventing improper or unauthorized change. Integrity includes data integrity (the content of the 

informationz) and origin integrity (the source of the data, often called authentication). 

Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms. 

Protection mechanisms seek to maintain the integrity of the data by blocking any unauthorized attempts 

to change the data or any attempts to change the data in unauthorized ways. 

Detection mechanisms do not try to prevent violations of integrity; they simple report that the data's 

integrity in no longer trustworthy." (Bishop, p. 4-6) 11 

"Definition 4-1 . A security policy is a statement that partitions the states of the system into a set of 

authorized, or secure, states and a set of unauthorized, or nonsecure, states. 

Definition 4-2. A secure system is a system that starts in an authorized state and cannot enter an 

unauthorized state." (Bishop, p. 95) 

'74.5.1 Secure Systems 

Systems designed with security in mind have auditing mechanisms integrated with the system design 
and implementation." (Bishop, p.706) 

"Computer security is assuring the secrecy, integrity, and availability of components of computing 
systems. The three principal pieces of a computing system subject attacks are hardware, software, and 
data. These three pieces, and the communications between them, constitute the basis of computer 
security vulnerabilities. This chapter has identified four kinds of attacks on computing systems: 
interruptions, interceptions, modifications, and fabrications. 

Three principles affect the direction of work in computer security. By the principle of easiest 
penetration, a computing system penetrator will use whatever means of attack is the easiest; therefore. 
All aspects of computing system security need to be considered at once. By principle of timeliness, a 
system needs to be protected against penetration only long enough so that penetration is of no value to 
the penetrator. The principle of effectiveness states that controls must be usable and used in order to 
serve purpose. 

Controls can be applied at the levels of data, programs, the system, physical devices, communications 
links, the environment, and personnel. Sometimes several controls are needed to cover a single 
vulnerability, and sometimes one control addresses several problems at once." (Pfleeger, p.4) 

See also InterTrust's Rule 30(b)(6) testimony and Microsoft PLR 4-2 Exhs. E & F as revised. 
(Examples follow). Webster's New 20 th century Dictionary (1947) at 1540-41); Pfleeger at 4-5; 
Spencer,,Personal Computer Dictionary at 156; The Computer Glossary at 460; 
-McGraw-Hill Dictionary of Scientific and Technical Terms at 1788; 
Practical Unix Security at 1 1-12 (O'Reilly 1991); 
Bishop, Computer Security (2002) pp. 3-24, 47; 

Hoffman, Modern Methods for Computer Security and Privacy at 2, 134-35; 
Mullender, ed., Distributed Systems (Addison Wesley 2d ed.) at 367, 420; 
Landewehr, "Formal Models for Computer Security" (ACM 1981); 
Merkle, "Protocols for Public Key Cryptosystems" (IEEE 1 980); 
Cooper, Computer & Communication Security, at 383; 
Baker, The Computer Security Handbook at 273; 
Computer Security Handbook at 389; 

Matheson et aL, Robustness and Security of Digital Watermarks; 



11 ""Bishop" herein refers to "Bishop, M. , Computeir Security, Art & 
Science, 2003) . 
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National Information Systems Security (INFOSEL) Glossary at 4V-5U; 
Internet Security Glossary (RFC2828); 
Tanenbaum, Modem Operating Systems (1992) at 181-82 

IN64706-45, IN176319-72, IT735936 (integrity), IT735938-9 

IN00862862, IT1678-96, IT39208-26, IT702969-83, IT399877-80 

••Secure Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling ; the authority given to the user."; "Computer Security. 1. Concepts, techniques 

measure?, and atomize measures used to protect the hardware, software and data of an 
information processing system from deliberate or inadvertent unauthorized lacquismon, damage 
instruction, disclosure! manipulation, modification or use or loss. 2. Protection resulting from the 
application of computer security." (IBM) 

-Security: Freedom from risk or danger. Safety and assurance of safety"; "secure state ;"ondWon in 
which none of the subjects in a system can access objects in an unauthorized manner. . . (Russell, 
Computer Security Basics, 1992, pp. 8-1 1 , 1 13, 227, 420) 

-Various criteria exist for secure systems - U.S. Dept. of Defense Trusted Computer Security 
Evaluation Criteria (TCSEC), the Orange Book, Red Book, European and Canadian guidelines, U.S. 
National Institute of Standards and Technology, and United Kingdom guidelines. 
The New IEEE Standard Dictionary of Electrical and Electronics Terms, 5th Ed. (1993) at 1181 ("The 
protection of computer hardware and software from accidental or malicious access, use, modification, 
destruction, or disclosure.") 

Dictionary of Computing, 3rd Ed. (1990) at 406 ("Prevention of or protection against (a) access to 
information by unauthorized recipients or (b) intentional but unauthorized destruction or alteration of 
that information.") 

Information Security Dictionary of Concepts, Standards, and Terms (1992) ("The quality or state of 
Er^t-effectivefy protected from undue losses (e.g. loss of goodwill, monetary loss, loss of ability 
to continue operations, etc.)") 



secure container 

912.35,86138, 
683.2 



See "secure" and "container" 
Intrinsic: 

- Prosecution History of '861 Patent: 

"Anderson [U.S. Patent No. 5,537,526] does not explicitly address a secure container 
per se but does place documents into containers [Fig. 8 202] and place restriction via 
links attached to documents ... which can include restrictions ... Such security tools are 
rightfully attached to a structure encapsulating the document, e.g. its container. 
08/805,804 ('861), Office Action, 06/25/98, p. 5. MSI 27417-25 

- Prosecution History of '683 Patent: 

"Claims 7-11, are rejected under 35 U.S.C. 103(a) as being unpatentable over Fischer 
(5,412,717) in view ofNarasimhalu et al (5,499,298). ... The set of authorities and 
restrictions are referred to as "program authorization information" or "PA1 .". ... A 
comparison of independent claim 7 to Fischer to derive the similarities and differences 
between the claimed invention and the prior art follows. ... Here, Fischer provides a, 
secure container in the form of a program, i.e. a governed item, havmg an associated 
P Al, i.e. at least one rule associated with the secure container." 
09/221,4790 683), Office Action, 11/12/99, p. 3-4 (IT00065799-800 m IT65863-65) 

- Prosecution History of Application 08/689,606, filed 12 August 1996: (issued as USP 5,943,422 
incorporating '107) Amendment dated 2 July 1998: 

"1 (Amended) A rights management method comprising: (a) receiving an information 
signal- Co) steganographically decoding the received information signal to recover digital 
rights management control information p^ed within at least one secure digital 
container, and (c) performing at least one rights management operation based at least in 
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part on the recovered digital rights management control information. Q 
Remarks Q For example, amended Claims 1, 15 and 22 each recite a digital secure 
container in combination. Neither Rhoads [USP 5,636,292], nor any of the other applied 
references, teaches or suggests the recited combination of features including any digital 
secure container." 

- Rhoads, USP 5,636,292: 

"Fully Exact Steganography 

Prior art steganographic methods currently known to the inventor generally involve fully 
deterministic or "exact" prescriptions for passing a message. Another way to say this is 
that it is a basic assumption that for a given message to be passed correctly in its entirety, 
the receiver of the information needs to receive the exact digital data file sent by the 
sender, tolerating no bit errors or "loss* 1 of data. By definition, "lossy" compression and 
decompression on empirical signals defeat such steganographic methods. (Prior art, such 
as the previously noted Komatsu work, are the exceptions here.) 
The principles of this invention can also be utilized as an exact form of steganography 
proper. It is suggested that such exact forms of steganography, whether those of prior art 
or those of this invention, be combined with the relatively recent art of the "digital 
signature" and/or the DSS (digital signature standard) in such a way that a receiver of a 
given empirical data file can first verify that not one single bit of information has been 
altered in the received file, and thus verify that the contained exact steganographic 
message has not been altered. " (55:5-26) 

"One exemplary application is placement of identification recognition units directly 
within modestly priced home audio and video instrumentation (such as a TV). Such 
recognition units would typically monitor 'audio and/or video looking for these copyright 
identification codes, and thence triggering simple decisions based on the findings, such 
as disabling or enabling recording capabilities, or incrementing program specific billing 
meters which are transmitted back to a central audio/video service provider and placed 
onto monthly invoices." (29:23) 

- *Use of secure electronic containers to transport items provides an unprecedented degree of security, 
trustedness and flexibility ( 4 683 8:50-52) 

- "Even if the object is stored locally to the VDE node, it may be stored as a secure or protected 
object so that it is not directly accessible to a calling process. ACCESS method 2000 establishes the 
connections, routings, and security requisites needed to access the object" (*193 192:41-) 

- "Electronic delivery person 4060 receives item 4054 in digital form and places it into a secure 
electronic container 302-thus forming a digital "object" 300. A digital object 300 may in this case be, 
for example, as shown in FIGS. 5A and 5B, and may include one or more containers 302 containing 
item 4054. FIG. 88 illustrates secure electronic container 302 as an attache" case handcuffed to the 
secure delivery person's wrist. Once again, container is shown as a physical thing for purposes of 
illustration only-in the example it is preferably electronic rather than physical, and comprises digital 
information having a well-defined structure (see FIG. 5A). Special mathematical techniques known as 
"cryptography" can be used to make electronic container 302 secure so that only intended recipient 
4056 can open the container and access the electronic document (or other item) 4054 it contains." 
('683 15:56-16:6) 

"Because container 152 can only be opened within a secure protected processing environment 154 
that is part of the virtual distribution environment described in the above-referenced Ginter et al. patent 
disclosure" ( 4 7 12 168:22-25) 

"A VDE content container is an object that contains both content (for example, commercially 
distributed electronic information products such as computer software programs, movies, electronic 
publications or reference materials, etc.) and certain control information related to the use of the 
object's content" ('193 19:15-21) 

- C193 82:24-45); ('193 192:36-52); ('683 18:49-56);C861 4:51-64) 
Extrinsic: 

Container: VDE objects are represented in a special form called a container. The container is 
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implemented within the VDE as an object-oriented container class. The container class provides a 
standard method by which applications software may encapsulate and read information stored within 
the object Additionally, the container may include procedural information associated with the data 
being stored. Containers may be nested, and share attributes with nested elements. Nested containers 
are stored within a larger container. VDE recognizes the presence of additional objects within the 
content, and allows the nested containers to share, extend or override the attributes of an outer 
container. (VDE ROI DEVICE vl.Oa 9 Feb 1 994, IT00008572) 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Container In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Container: A protected (encrypted) storage object that incorporates descriptive information, protected 
content, and (optionally) control objects applicable to that content (ITG, 3/7/1995, IT00709617, see 
footnote 2) 

Container: A contains protected content, which is divided into one or more atomic elements, and, 
optionally, PERCs governing the content and may be manipulated only as specified by a PERC. (ITG, 
4/6/95, IT00028206, see footnote 5) 

Container: A packaging mechanism, consisting of: *One or more Element-derived components. *An 
organization mechanism which provides a unique name within a flat namespace for each of the 
components in a Container (ITG, 5/12/95, IT00028293) 

Container. A protected digital information storage and transport mechanism for packaging content and 
control information. (ITG, 8/21/95, IT00032372, TDOO068B) 

"Secure Containers)" means electronic containers) or electronic data arrangements that: (I) use one or 
more cryptographic or other obfuscation techniques to provide protection for at least a portion of the 
Content thereof; and (ii) supports the use of Rules and Controls to enable the Management of Content 
(License Agreement IT and Universal Music Group, 4/13/99, Exhibit 1 1 to IT 30(bX6)) 

A protected digital information storage and transport mechanism for packaging content and control 
information. (IT 69 11 87) 

Secure container A DigiBox container provides security through encryption and the PPE of a 
commerce node. A secure container does not require a secure communications transport mode. (IT 
35965) 

A DigiBox container provides for the persistent protection of its properties. (IT 35920) 
DigiBox containers ensure integrity. (IT 35895) 


secure container 
governed item 

683.2 


Intrinsic: 
Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Container: In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Item: 1 . An element of a set of data. 2. One unit of a commodity such as one ox, one bag, or one can. 

Item: In computing, a group of related characters treated as a unit. For example, a record may comprise 
a number of items, that in turn may consist of other items. (Longley) 

Container: A protected (encrypted) storage object that incorporates descriptive information, protected 
content, and (optionally) control objects applicable to that content. (ITG, 3/7/95, IT00709617, see 
footnote 2) 

Container: A packaging mechanism, consisting of: *One or more Element-derived components. *An 
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organization mechanism which provides a unique name within a flat namespace for each of the 
components in a Container (ITG, 5/12/95, IT00028293) 

Container A protected digital information storage and transport mechanism for packaging content and 
control information. (TTG, 8/21/95, IT00032372, TD00068B) 

Secure Processing Unit: The physically secure hardware component of the SPE: a processor with local 
memory and non-volatile storage. The SPE consists of the SPU itself and the SPE software running on 
the SPU. (ITG, 3/7/95, IT00709620, see footnote 2) 

DigiBox Container. InterTrust's secure cryptographic data structure for packaging and containing 
contents and controls. A DigiBox container provides for the persistent protection of its content and 
controls through the Protected Processing Environment of XECutor. A DigiBox container eliminates 
the need for a secure communications channel, such as SSL or SHTTP. (TTG, 10/2/96, IT0OO35893, 
TD00189F) 

DigiBox Container A format for protected storage and transport of digital content and business rules. 
The DigiBox container uses cryptography to ensure that the information it holds is protected and can 
only be manipulated by InterTrust Commerce Nodes. (ITG, 1 1/17/96, IT00035866, TD00189J) 


secure database 

193.1, 193.11, 
193.15 


Intrinsic: 

- See '193, Figures 7, 10. 

- "FIG. 36 shows an example of how a new record or element may be inserted into a secure database 
610. The load process 1070 shown in FIG. 35 checks each data element or item as it is loaded to ensure 
that it has not been tampered with, replaced or substituted. In the process 1 070 shown in FIG. 35, the 
first step that is performed is to check to see if the current user of electronic appliance 600 is 
authorized to insert the item into secure database 610 (block 1072)... The non-secure element within its 
security wrapper may then be stored within secure databases 610." 

- "The keys to decrypt secure database 6 1 0 records are, in the preferred embodiment, maintained 
solely within the protected memory of an SPU 500." 

- "By using this process, SPE 503 can protect the data structure (including the indexes) of secure 
databases 610 against substitutions of old items and against substitution of indexes for current items." 

- "The security of secure databases 610 files may be further improved by segmenting the records into 
"compartments." Different encryption/decryption keys may be used to protect different 
"compartment" This strategy can be used to limit the amount of information within secure database 

3 10 that is encrypted with a single key/ Another technique for increasing secure database 630 may be 
to encrypt different portions of the same records with different keys so that more than one key may 
needed to decrypt these records." 

- "Each electronic appliance 600 may have an instance of secure database 610 that securely maintains 
the VDE items. FIG, 16 shows one example of a secure database 610. 

- "VDE Secure Database 610: VDE 100 stores separately deliverable VDE elements in a secure (e.g., 
encrypted) database 610 distributed to each VDE electronic appliance 610. The database 610 in the 
preferred embodiment may store and/or manage three basic classes of VDE items: VDE objects, VDE 
process elements, and VDE data structures." 

- "Secure Database Keys: PPE 650 preferably generates these secure database keys and never exposes 
the outside of the PPE. They are site-specific in the preferred embodiment, and may be "aged" as 
described above. As described above, each time an updated record is written to secure database 610, a 
new key may be used and kept in a key list within the PPE." (212:36) 

- "Secure database encryption keys in the preferred embodiment are frequently changing and are also 
site specific" (219:30) 

- ('193 79:24); (' 1 93 7 1 :28-40); C* 193 111 :59-67) 
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Extrinsic: 

Secure store: The Secure store is the system area that provides an encrypted storage method for storing 
ROI internal files and other highly secure information. In some applications, entire media volumes can 
be distributed encrypted as part of the secure store to enhance overall security for the content by 
obscuring the file system and media descriptors associated with the volume. A dedicated volume or 
partition will only be required if an application cannot be supported without it (e.g. a required 
government security level for the specific application). In most cases, the user will not be required to 
dedicate an entire volume or partition of the hard disk, and the secure store will be supported using an 
encrypted file, or files, on the hard disk. ROI will also support a dedicated partition as an option to the 
administrator of a network server, as one of several ways to assure the integrity of the system. (VDE 
ROI DEVICE vl .Oa 9 Feb 1994, IT00008586) 

Database: 1. A collection of data with a given structure for accepting, storing, and providing, on 
demand, data for multiple users. 2. A collection of interrelated data 
organized according to a database schema to serve one or more applications. 3. A collection of data 
fundamental to a system. 4. A collection of data fundamental to an enterprise.(IBM) 

Database: 1. An extensive and comprehensive set of records collected and organized in a meaningful 
manner to serve a particular purpose. 2. In computing, a collection of stored operational data used by 
the applications system of an enterprise. (Longley) 

"The basic security requirements of data base systems are not unlike the security requirements of other 
computing systems we have studied. The basic problem-access control, exclusion of spurious data, 
authentication of users, reliability-have appeared in many context so far in this book. Following is a list 
of requirements for security of data base systems. 

Physical data base integrity, so that the data of a data base is immune to physical 
problems, such as power failures, and so that it is possible to reconstruct that data base if 
it is destroyed through a catastrophe. 

Logical data base integrity, so that the structure of the data base is preserved. With 
logical integrity of a data base, a modification to the value of one field does not affect 
other field, for example. 

Element integrity, so that the data contained in each element is accurate. 

Auditability, to be able to track who has accessed (or modified) the elements in the data 

base. 

Access control, so that a user is allowed to access only authorized data and so that 
different user can be restricted to different modes of access (for example, read or write). 
User authentication, to be sure that every user is positively identified, both for audit trail 
and for permission to access data. 

Availability, meaning that users can access the data base in general and all the data for 
which they are authorized.*' (Pfleeger) 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 
Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, IT00028294) 


secure execution 
space 

721.34 


Intrinsic: 

- Prosecution History of '721 Patent : 

execution spaces reiers to a resource wnicn can uc uacu iui cacvuhuii ui a un ui u^wa. 
Amendment 

- "Protected execution spaces such as protected processing environments can be programmed or 
otherwise conditioned to accept only those load modules or other executables bearing a digital 
signature/certificate of an accredited (or particular) verifying authority. Tamper resistant barriers may 
be used to protect this programming or other conditioning. The assurance levels described below are a 
measure or assessment of the effectiveness with which this programming or other conditioning is 
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protected." 

- ( ( 721 3:16-23) 

- "A protected processing environment or other secure execution space protects itself by executing 
only those load modules or other executables that have been digitally signed for its corresponding 
assurance level." 

- "Different protected processing environments (secure execution spaces) might examine different 
subsets of the multiple digital signatures«so that compromising one protected processing environment 
(secure execution space) will not compromise all of them." 

. "The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment and 
execution space." ('193 69:33-35) 

- SPU 500 general purpose RAM 534 provides, among other things, secure execution space for secure 
processes. ('193 70:43-44) 

_ "Virtual memory manager 580 provides a fully "virtual" memory system to increase the amount of 
"virtual" RAM available in the SPE secure execution space beyond the amount of physical RAM 534a 
provided by SPU 500." ('193 109:24-45) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Execution: The process of carrying out an instruction or instructions of a computer program by a 
computer. (IBM) 

Space: 1. A site intended for storage of data. 2. A basic unit of area, usually the size of a singe 
character. 8. To cause a printer to move the paper a specified number of lines either before or after it 
prints a line. (IBM) 


secure memory, 
memory 

193.1, 193.11, 
193.15 


Intrinsic: 

- "Because secondary storage 652 is not secure, SPE 503 must encrypt and cryptographically seal 
(e.g., using a one-way hash function initialized with a secret value known only inside the SPU 500) 
each swap block before it writes it to secondary storage." ('193 107:39-46) 

- "Due to the practical limits on the amount of ROM 532 and RAM 534 that may be included within 
SPU 500, SPU 500 may store information in memory external to it, and move this information into and 
out of its secure internal memory space on an as needed basis." ('193 18:14-19); 

- "Such external memory may be used to store SPU programs, data and/or other information. For 
example, a VDE control program may be, at least in part, loaded into the memory and communicated 
to and decrypted within SPU 500 prior to execution. Such control programs may be re-encrypted and 
communicated back to external memory where they may be stored for later execution by SPU 500. 
"Kernel" programs and/or some or all of the non-kernel "load modules" may be stored by SPU 500 in 
memory external to it. Since a secure database 610 may be relatively large, SPU 500 can store some or 
all of secure database 610 in external memory and call portions into the SPU 500 as needed. As 
mentioned above, memory external to SPU 500 may not be secure. Therefore, when security is 
required, SPU 500 must encrypt secure information before writing it to external memory, and decrypt 
secure information read from external memory before using it. Inasmuch as the encryption layer relies 
on secure processes ana mformation (e.g., encryption aigontnms ana Keys; present wunin oru duu, 
the encryption layer effectively "extends" the SPU security barrier 502 to protect information the SPU 
500 stores in memory external to it." ('193 71:19-40) 

- "Key and Tag Manager 558 also provides services relating to tag generation and management. In the 
preferred embodiment, transaction and access tags are preferably stored by SPE 503 (HPE 655) in 
protected memory (e.g., within the NVRAM 534b of SPU 500). These tags may be generated by key 
and tag manager 558. TTiey are used to, for example, check access rights to, validate and correlate data 
elements. For example, they may be used to ensure components of the secured data structures are not 
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tampered with outside of the SPU 500." ('193 120:59-121:1) 

- "The degree of overall security of the VDE system is primarily dependent on the degree of tamper 
resistance and concealment of VDE control process execution and related data storage activities. 
Employing special purpose semiconductor packaging techniques can significantly contribute to the 
degree of security. Concealment and tamper-resistance in semiconductor memory (e.g., RAM, ROM, 
NVRAM) can be achieved, in part, by employing such memory within an SPU package, by encrypting 
data before it is sent to external memory (such as an external RAM package) and decrypting encrypted 
data within the CPU/RAM package before it is executed. This process is used for important VDE 
related data when such data is stored on unprotected media, for example, standard host storage, such as 
random access memory, mass storage, etc." ('193 21:26-40) 

- "Secondary storage 662 may comprise the same one or more non-secure secondary storage 
devices (such as a magnetic disk and a CD-ROM drive as one example) that electronic appliance 600 
uses for general secondary storage functions. In some implementations, part or all of secondary storage 
652 may comprise a secondary storage device(s) that is physically enclosed within a secure enclosure. 
However, since it may not be practical or cost-effective to physically secure secondary storage 652 in 
many implementations, secondary storage 652 may be used to store information in a secure manner by 
encrypting information before storing it in secondary storage 652. If information is encrypted before it 
is stored, physical access to secondary storage 652 or its contents does not readily reveal or 
compromise the information." ('193 62:43-58) 

- (M93 59:60-60:3); ('193 69:47-48); C 193 164:55-60); ('193 59:48-59); ('193 63:60-64:5); ('193 
69:6-11); (*193 69:27-32); ('193 69:39^3); ('193 71:32-35); ('193 71:42-47); (*193 78:16-17); ('193 
120:37-41) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Memory: All of the addressable storage space in a processing unit and other internal storages that is 
used to execute instructions. (IBM) 


secure operating 
environment, 
said operating 
environment 

891.1 


Intrinsic: 

- VDE provides a secure operating environment employing VDE foundation elements along with 
secure independently deliverable VDE components that enable electronic commerce models and 
relationships to develop." ('193 13:37-41) 

- "The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment and 
execution space " (67:29) 

- ('193 34:26-49); (M93 72:52-73:37); ('193 77:30-44) 
Extrinsic: 

Execution environment: Some load modules contain code that executes in a ROI device. Some load 

modules will contain code that executes in the user's platform microprocessor. This allows methods to 

be constructed that execute in whichever environment is appropriate. For example an information 

method could be built to execute only in ROI secure space for government classes of security, or in the 

user's platform microprocessor for virtually all commercial applications. The public header of the load 

«,;n «^«+«;« a -nftM tViat in^irotoc M/Kprp it needs to execute. This functionality also allows for 
module wm contain a neio mat uiQicaies wncrc n nccua w tA ^ wuiv ' *■ uij » vmm**^ w . V tw * v . 

different ROI devices as well as different user platforms and allows methods to be constructed for 
either. It should be noted that load modules that execute outside of an ROI device are deemed insecure 
by the VDE Architecture and secure processes should not be implemented using load modules that 
execute outside of an ROI device. (VDE ROI DEVICE vl.Oa, 9 Feb 1994, IT00008592) 
"Saltzer [SAL74] and Saltzer and Schroeder [SAL75] listed the following principles of the design of 
secure protection systems. 

Least privilege: Each user and each program should operate using the fewest privileges 
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possible. In this way, the damage from an inadvertent or malicious attack is minimized. 
Economy of mechanism: The design of the protection system should be small, simple 
and straightforward. Such a protection can be exhaustively tested, perhaps verified, and 
trusted. 

Open design: The protection mechanism must not depend od the ignorance of potential 
attackers; the mechanism should be public, depending on secrecy of relatively few key 
items, such as a password table. An open design is also available for extensive public 
scrutiny. 

Complete mediation: Every access must be checked. 

Permission-based: The default condition should be denial of access. A conservative 
designer identifies those items that should be accessible, rather than those that should not. 
Separation of privilege: Ideally, access to objects should depend on more than one 
condition, such as user authentication plus a cryptographic key. In this way, someone 
who defeats one protection system will not have complete access. 
Least common mechanism: Shared objects provide potential channels for information 

fl/M*/ Cuetome Atnnlnvino nVivcif-ftl rtr Inoirfll ^PHflrfltifTO reduce the TTslc TTOIT1 shaTlUP 

Easy to use: If a mechanism is easy to use, it is unlikely to be avoided." 
(Pfleeger section 7.2) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 


securely applying 
891.1 


Intrinsic: 
Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Applying: 1. In joumaling, to place after-images of records into a physical file member. The after- 
images are recorded as entries in a journal. 2. An SMP process that moves distributed code and MVS- 
type programs to the system libraries. (IBM) 


securely 
assembling 

912.8,912.35 


Intrinsic: 

- ('193 87:33-40) 

"ROS 602 also provides a tagging and sequencing scheme that may be used within the loadable . 
component assemblies 690 to detect tampering by substitution. ('193 87:41-62) 

- "ROS 602 generates component assemblies 690 in a secure manner. As shown graphically in 
FIGS. 1 11 and 1 1J, the different elements comprising a component assembly 690 may be 
"interlocking" in the sense that they can only go together in ways that are intended by the VDE 
participants who created the elements and/or specified the component assemblies. ROS 602 includes 
security protections that can prevent an unauthorized person from modifying elements, and also 
prevent an unauthorized person from substituting elements." ('193 84:60-85:2) 

"ROS 602 assembles these elements together into an executable component assembly 690 prior to 
loading and executing the component assembly (e.g., in a secure operating environment such as SPE 
503 and/or HPE 655). ROS 602 provides an element identification and referencing mechanism that 
includes information necessary to automatically assemble elements into a component assembly 690 in 
a secure manner prior to, and/or during, execution." ( l 193 83:44-52) 
. ('107 page 782 claim 80); ( v 193 1 16:25-35); (' 193 116:29-33) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 
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securely 
processing 

891.1 


Intrinsic: 

- "VDE can satisfy the requirements of widely differing electronic commerce and data security 
applications by, in part, employing this general purpose transaction management foundation to securely 
process VDE transaction related control methods." (* 193 25:52-57) 

. "For example, they [HPE and SPE] may each perform secure processing based on one or more VDE 
component assemblies 690, and they may each offer secure processing services to OS kernel 680." 
(' 193 79:43-46) 

- "VDE methods 1 000 are designed to provide a very flexible and highly modular approach to secure 
processing." ('193 181:18-19) 

- M In these cases, secure processing steps performed by an SPU typically must be segmented into 
small, securely packaged elements that may be "paged in" and "paged out" of the limited available 
internal memory space." (67:39) 

- (M93 21:43-22:31); (*193 109:24-45); 0193 139:28-31); ('683 24:26-33) 

- Load modules are not necessarily directly governed by PERCs 808 that control them, nor must they 
contain any time/date information or expiration dates. The only control consideration is the preferred 
embodiment is that one or more methods 1000 reference them using a correlation tag (the value of a 
protected object created by the load module's owner, distributed to authorized parties for inclusion in 
their methods, and to which access and use is controlled by one or more PERCs 808). If a method core 
1000' references a load module 1 100 and asserts the proper correlation tag (and the load module 
satisfies the internal tamper checks for the SPE 503), then the load module can be loaded and executed, 
or it can be acquired from, shipped to, updated, or deleted by, other systems. 

- ROS 602 also provides a tagging and sequencing scheme that may be used within loadable 
component assemblies 690to detect tampering by substitution. Each element comprising a component 
assembly 690 may be loaded into a SPU 500, decrypted using encrypt/decrypt engine 522, and then 
tested/compared to ensure that the proper element has been loaded. . ..In addition, a 
validation/correlation tag stored under the encrypted layer of the loadable element may be compared to 
make sure it matches on or more tags provided by a requesting process. This prevents unauthorized use 
of information. As a third protection, a device assigned tag (e.g., a sequence number) stored under an 
encryption layer of loadable element may be checked to make sure it matches a corresponding tag value 
expected by SPU 500. This prevents substitution of older elements. Validation/correlation tags are 
typically passed only in secure wrappers to prevent plaintext exposure of this information outside of 
SPU 500.. 

- Key and Tag Manager 558 also provides service relating to tag generation and management In the 
preferred embodiment, transaction and access tags are preferably stored by SPE 503 (HPE 665) in 
protected memory (e.g., within the NVRAM 534b of SPU 500). These tags may be generated by key 
and tag manager 558. They are used to, for example, check access rights to, validate and correlate data 
elements. For example, they may be used to ensure components of the secured data structures are not 
tampered with outside of the SPU 500. . 

- Initiation of load module execution in this environment is strictly controlled by a combination of 
access tags, validation tags, encryption keys, digital signatures, and/or correlation tags. Thus, a load 
module 1 100 may only be referenced if the caller knows it ED and asserts the shared secret correlation 
tag specific to that load module. The decrypting SPU may match the identification token an and local 
access tag of a load module after decryption. These techniques make the physical replacement of any 
load module 1 100 detectable at the next physical access of a load module. 

- Meters and budgets are common examples of this. Expiration dates cannot be used effectively to 
prevent substitution of the previous copy of a budget UDE 1200. To secure these frequently updated 
items, a transaction tag is generated and included in the encrypted item each time that item is updated. 
A list of all VDE items Ids and the current transaction tags for each item is maintained as part of the 
secure database 610. 

UDEs 1200 are preferably encrypted using a site specific key once they are loaded into a site. This site- 
specific key marks a validation tag that may be derived from a cryptograph ically strong pseudo-random 
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sequence by the SPE 503 and updated each time the record is written back to the secure database 610. 
This technique provided reasonable assurance that the UDE 1200 has not been tampered with nor 
submitted when it is requested t>y the system for the next use. 

Extrinsic: . 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Process: 1. The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on. (IBM) 

Process: Process: (1) in computing, the active system entity through which programs run. The entity in 
a computer system to which authorizations are granted; thus the unit of accountability in a computer 

system. (2) In computing, a program in execution (4) In computing, a program is a static piece of 

code and a process is the execution of that code. (Longley) 

Processing: In legislation, as defined by the U.K. Data Protection Act o f 1 984, pertaining to the 
amending, augmenting, deleting, or re-arranging of the data or extracting the information constituting 
the data and , in the case of personal data, processing means performing any of the abovementioned 
operations by reference to the data subject (Longley) 


securely 
receiving 

891.1 


Intrinsic: 

Prosecution History of Application 08/388,107: "Johnson's user database is not securely delivered, but 
rather is created at the license server by-and is under the control of-the site administrator " 

08/388,107, Amendment, 06/20/97, p. 23 (MSI028847) 

"[Applicants' independent claims ... require secure delivery of both first and second control items 
originating from someplace other than the appliance where they are used, at least in part, for controlling 
the same process, operation or the like. This feature in combination is not taugjit or suggested by 
Johnson and/or Rosen." 
(pg.23) 

"Johnson's user database is not securely delivered, but rather is created at the license server by-and is 

under the control of-the site administrator " 

(pg.23) 

"Rosen does not disclose or suggest securely delivering controls of plural different entities and/or 
appliances from at least one source remote to the receiving site or appliance as recited in applicants' 
independent claims Rosen's is distinguishable at least because Rosen's merchant trusted agent 
(MTA) and customer trusted agent (CTA) are loaded into different appliances and operate in different 
appliances. ... Furthermore, such loading operation is performed at Rosen's physically secure device 
manufacturing site - not from at least one source remote to the device." 
(pg. 23-24) 

08/388,307, Amendment, 06/20/97, p. 23, 23, 24 (MSI028847-48) 

- "Secure communications means employing authentication, digital signaturing, and encrypted 
transmissions." ('193 12:5-35, 12:33) 

- The appliance 600 may then open the secure electronic container ("attache case") 302 and deliver 
the item it contains to recipient 4056 (FIG. 9 IB, block 4092D). ('683 ) 

- "FIGS. 1 14A-1 18 show example processes for securely receiving an item" ('683 14:64-65) 

- "By way of non-exhaustive summary, these present inventions provide a highly secure and trusted 
item delivery and agreement execution services providing the following features and functions:" 
('683:6) 

- "When encrypted or otherwise secured information is delivered into a user's secure VDE processing 
area (e.g., PPE 650), a portion of this information can be used as a ,l tag" that is first decrypted or 
otherwise unsecured and then compared to an expected value to confirm that the information represents 
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expected information. The tag thus can be used as a portion of process confirming the identity and 
correctness of received, VDE protected, information" (214:17) 

- Tor objects in which maintaining security is particularly important, the permission records 808 
and key blocks 810 will frequently be distributed electronically, using secure communications 
techniques (discussed below) that are controlled by the VDE nodes of the sender and receiver." ( l 193 

129:8-13) . „ ^ 

- "Creator B ... may accept such a [new control] model if information associated with the one or 
more meter methods that record the number of bytes decrypted by users is securely packaged by 
distributor B's VDE secure subsystem and is securely, employing VDE communications techniques, 
sent to creator B in addition to distributor A" (' 1 93 307:46-5 1) 

. C 193 209:27-30); (M93 29:64-30:4); ('193 36:29-33); ('193 45:39-45); ('193 153:53-67); 0193 
293:4-7); ('683 15:67-16:4) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Receiving: 1. To obtain and store data.(TBM) 

Secure Processing Unit: The physically secure hardware component of the SPE: a processor with local 
memory and non-volatile storage. The SPE consists of the SPU itself and the SPE software running on 
the SPU. (ITG, 3/7/1995, TT00709620, see footnote 2) 


security level, 
level of security 

721.1; 721.34, 
912.8 


Intrinsic: 

- ( t 193 21:26-31);('19345:52-59),butonlyasto912.8. 

- "For example, protected processing environments or other secure execution spaces that are more 
impervious to tampering (such as those providing a higher degree of physical security) may use an 
assurance level that isolates it from protected processing environments or other secure execution spaces 
that are relatively more susceptible to tampering (such as those constructed solely by software 
executing on a general purpose digital computer in a non-secure location)." 

- "The present invention may use a verifying authority and the digital signatures it provides to 
compartmentalize the different electronic appliances depending on their level of security (e.g., work 
factor or relative tamper resistance)." 

- "Assurance level I might be used for an electronic appliance(s) 6 1 whose protected processing 
environment 108 is based on software techniques that may be somewhat resistant to tampering. An 
example of an assurance level I electronic appliance 61 A might be a general purpose personal computer 
that executes software to create protected processing environment 108. An assurance level 11 electronic 
appliance 61B may provide a protected processing environment 108 based on a hybrid of software 
security techniques and hardware-based security techniques. An example of an assurance level II 
electronic appliance 61B might be a general purpose personal computer equipped with a hardware 
integrated circuit secure processing unit ("SPU") that performs some secure processing outside of the 
SPU (see Ginter et al. patent disclosure FIG. 10 and associated text). Such a hybrid arrangement might 
be relatively more resistant to tampering than a software-only implementation. The assurance level III 
appliance 61C shown is a general purpose personal computer equipped with a hardware-based secure 
processing unit 132 providing and completely containing protected processing environment 108 (see 
Ginter et al. FIGS. 6 and 9 for example). A silicon-based special purpose integrated circuit security chip 
is relatively more tamper-resistant than implementations relying on software techniques for some or all 
of their tamper-resistance." ('721 _J 

- "Assurance level in this example may be assigned to a particular protected processing environment 
108 at initialization (e.g., at the factory in the case of hardware-based secure processing units). 
Assigning assurance level at initialization time facilitates the use of key management (e.g., secure key 
exchange protocols) to enforce isolation based on assurance level. For example, since establishment of 
assurance level is done at initialization time, rather than "in the field in this example, the key exchange 
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mechanism can be used to provide new keys (assuming an assurance level has been established 
correctly)." ('721 _) 

- "The assurance level III appliance 61C shown is a general purpose personal computer equipped with 
a hardware-based secure processing unit 132 providing and completely containing protected processing 
environment 108 (see Ginter et al. FIGS. 6 and 9 for example). A silicon-based special purpose 
integrated circuit security chip is relatively more tamper-resistant than implementations relying on 
software techniques for some or all of their tamper-resistance." 

- "Protected execution spaces such as protected processing environments can be programmed or 
otherwise conditioned to accept only those load modules or other executables bearing a digital 
signature/certificate of an accredited (or particular) verifying authority. Tamper resistant barriers may 
be used to protect this programming or other conditioning. The assurance levels described below are a 
measure or assessment of the effectiveness with which this programming or other conditioning is 
protected." 

- SN: 08/689,754: Amendment 

- Claims 9 and 30 cancelled. 

- Claims 1-2, 5-6, 30-15, 17-23, 26-27, 31-32, 34, 36, 38-43 amended. Some terms changed (e.g. 
work factor = security level); points in part to * 1 07 spec'n (and in part to specific portions of '754 app.) 
to support definiteness of challenged claim terms; "execution spaces" "refers to a resource which can 
be used for execution of a program or process." (14)); 

- "In accordance with this feature of the invention, verifying authority 100 supports all of these 
various categories of digital signatures, and system 50 uses key management to distribute the 
appropriate verification keys to different assurance level devices. For example, verifying authority 100 
may digitally sign a particular load module 54 such that only hardware-only based servers) 402(3) at 
assurance level XI may authenticate it This compartmentalization prevents any load module executable 
on hardware-only servers 402(3) from executing on any other assurance level appliance (for example, 
software- only protected processing environment based support service 404(1))." (19:1 1) 

- "VDE, in its preferred embodiment, uses special purpose tamper resistant Secure Processing Units 
(SPUs) to help provide a high level of security for VDE processes and information storage and 
communication." ('193 4:3-7) 

- ('193 29:24-28); ('193 49:59-62); ('193 201:51-55); ('193 203:58-67); ('193 212:66-213:15) 

"In order to allow, in the preferred embodiment, the ability to differentiate installations with 
different levels/degrees of trustedness/security, different certification key pairs may be used (e.g., 
different certification keys may be used to certify SPEs 503 then are used to certify HPEs 655)." 
(210:36) 

"security level. To protect digital works against unauthorized uses, repositories need different 
degrees of physical security. Repositories handling extremely valuable works need greater 
security than ones for ordinary and portable use. The term security level refers to a sequence of 
levels ranging from low security to very high security." 

"Letting Loose the Light: Igniting Commerce in Electronic Publication " Stefik, draft 1994, 1995 

(MSI028761) 

"Security level: Different degrees of physical security - ranging from low security to very high 
security - for protecting digital works against unauthorized use. Repositories for handling 
extremely valuable works need greater security than those for ordinary and portable use " 
Letting LrOose tne i^ignt. igniting commerce m niecuonic r uoiicanon, ^lciik, m uiicraei ui earns, 
MIT 1996 (MS1028785) 

Prosecution History of '721 Patent: 

"please amend the application identified above as follows: 

IN THE CLAIMS 

Please cancel claims ... and amend claims 1, ... as follows: 
1 . [Amended] A security method comprising: 

(a) digitally signing a first load module with a first digital signature designating the first load 
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module for use by a first device class; 

(b) digitally signing a second load module with a second digital signature different from the first 
digital signature, the second digital signature designating the second load module for use by a second 
device class bavins at least one of tamper resistance andlVorl security level fwork factor substantially] 
different from the at least one of tamper resistance and/rorl security level fwork factorl of the first 
device class; 

(c) distributing the first load module for use by at least one device in the first device class; and 

(d) distributing the second load module for use by at least one device in the second device class."" 

(re- ]-2) 

"36. [Amended! A protected processing environment comprising: 

a first tamper resistant barrier having a first security level Twork factor], 

a first secure execution space, and 

at least one arrangement within the first tamper resistant barrier that prevents the first secure execution 
space from executing the same executable accessed by a second rfurtherl secure execution space having 
a second [further] tamper resistant barrier with a second [furtherl security level [work factor 
substantially] different from the first security level fwork factor]." 
(pg.10) 

"In the pending Office Action, the Examiner rejected claims 1-43 under 35 U.S.C. 1 12, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter 
of the invention. By this Amendment, Applicants have canceled claims ... and amended other claims 

to more appropriately define the present invention In response to the Examiner's rejection, 

Applicants also have amended Claims 1-2, ... 36, ... to address issues raised by the Examiner." 
<pg- 13) 

08/689,754 ('721), Amendment, 04/14/99, 1-2, 10, 13 
Extrinsic: 

Security: The quality or state of being cost-effectively protected from undue losses (e.g. loss of 
goodwill, monetary loss, loss of ability to continue operations, etc.) (Longley) 

Level: 1. The degree of subordination of an item in a hierarchic arrangement. 3. The version of a 
program. (IBM) 

Level: 1. In computer security, see security level and integrity level. (Longley) 

Security level: In computer security, the combination of hierarchical classification and a set of non- 
hierarchical categories that represent the sensitivity of information. (Longley) 

Integrity level: In access control, a level of trustworthiness associated with a subject or object 
(Longley) 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 
Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, IT00028294) 


tamper resistance 

721.1,721.34, 
900.155 


Intrinsic: 

"The level of security and tamper resistance required for trusted SPU hardware processes depends on 
the commercial requirements of particular markets or market niches, and may vary widely." (* 193 
49:59-62) 

Extrinsic: 

Tamper-resistant Module: In data security, a device in which sensitive information, such as a master 
cryptographic key, is stored and cryptographic functions are performed. The device has one or more 
sensors to detect physical attacks, by an adversary trying to gain access to the stored information in 
which case the stored sensitive data is immediately destroyed. (Longley) 

Information Security Dictionary of Concepts, Standards, and Terms (1992) ("Tamper-resistant Module: 
In data security, a device in which sensitive information, such as a master cryptographic key, is stored 
and cryptographic functions are performed. The device has one or more sensors to detect physical 
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attacks, by an adversary trying to gain access to the stored information in which case the stored 
sensitive data is immediately destroyed.") 

IT4153(M9, IT51 147-60 

Neumann, Computer Related Risks (1995) at 349 


Tamper resistant 
barrier 

721.34 


Intrinsic: 

"In addition, Applicants would like to draw the Examiner's attention to other sections of the 
specification in support of words or phrases cited by the Examiner as "indefinite." ... In claims ... 36 
... the term "barrier^ is used as part of the phrase 'hamper resistant barrier." This phrase is described in 
the specification on at least pages 7-8 and 46. In addition, the incorporated Ginter application describes 
tamper resistant barriers in a number of locations such as, for example, page 201 " 
(pg. 13-14) (pages 7 and 46 of the original specification are *721 2:62-3:13 and 16:35-54 of the issued 
patent; page 201 of Ginter application SN 08/388,107 is '193 80:40-81:1) 

08/689,754 ('721), Amendment, 04/14/99, p. 14 

- SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security 
barrier 502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 from being observed, interfered with and leaving except 
under appropriate secure conditions." ('193 59:48-53) 

- "Although block 1262 includes encrypted summary services information on the back up, it 
preferably does not include SPU device private keys, shared keys, SPU code and other internal security 
information to prevent this information from ever becoming available to users even in encrypted form." 
C193 166:59-64) 

"Briefly, the preferred example software-based PPE 650 installation process provides the following 
security techniques: encrypted software distribution, installation customized on a unique instance 
and/or electronic appliance basis, encrypted on-disk form, installation tied to payment method, unique 
software and data Layout, and identifiable copies." (236:32) 

" (c) if the load module has an associate digital signature , authenticating the digital signature at 
least one public key secured behind a tamper resistant barrier and therefore hidden from the user." 
0721.9) 

"A further attack technique might involve duplicating one installed operational material 3472 
instance by coping the programs and data from one personal computer 3372B to another personal 
computer 3372C or emulator (see FIG. 67B, block 3364, and the "copy" arrow 3364A in FIG. 67A). 
The duplicated PPE instance could be used in a variety of ways, such as, for example, to place an 
imposter PPE 650 instance on-line and/or to permit further dynamic analysis." (*900 233:8- 1 5) 

"Various software protection techniques detailed above in connection with FIG. 10 may provide 
software-based tamper resistant barrier 674 within a software-only and/or hybrid software/hardware 
protected processing environment 650. The following is an elaboration on those above-described 
techniques. These software protection techniques may provide, for example, the following: An on-line 
registration process that results in the creation of a shared secret between the registry and the PPE 650 
instance — used by the registry to create content and transactions that are meaningful only to specific 
PPE instance. An installation program (that may be distinct from the PPE operational material 
software) that creates a customized installation of the PPE software unique to each PPE instance and/or 
associate electronic appliance 600. Camouflage protections that make it difficult to reverse engineer 
the PPE 650 operational materials during PPE 650 operation. Integrity checks performed during PPE 
650 operation (e.g., during on-line interactions with trusted servers) to detect compromise. In general, 
the software-based tamper resistant barrier 674 may establish "trust" primarily through uniqueness and 
complexity." ('900 235:30-57)- 

- ('900 243:3-9); ('193 80:40-65, Fig. 10); ( l 900 230:61-65); ('900 233:24-33); ('900 235:30-56); 
( l 900 236:9-15) 
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tamper resistant 
software 

900.155 



use 

912.8,912.35, 
861.58, 193.19, 
891.1,6832, 
721.1 



Extrinsic: 

Tamner-resistant Module: In data security, a device in which sensitive information, such as a master 
JJSXStev * stored and cryptographic functions are performed. The dev.ee has one or more 

which case ihe stored sensitive data is immediately destroyed. (Longley) 

•The "tamper-resistant module" is physically strong and destroys secrets when opened, and the 

software running inside has been checked for integrity;" (Davies) 

"The host computer is provided with a specially, physically secure module containing all the secret 
SSZSSmZ* protected, mfte KM papen; it is called the 'Cryptographs Fac^ry : we 
shall call it a 'Tamper Resistant Module* (TRM)." (Davies) 



Intrinsic: 

"Ooerational materials 3472 may then decrypt the next program segment dynamically - This 

nSS mcreases the tamper-resistance of the executable code-thus providing addU.onal tamper 

resistance for PPE operations." ('900 243:3-8) 

Extrinsic: 

Tamner-resistant Module: In data security, a device in which sensitive information, such as a master 
SSSStey i» stored and cryptographic functions are performed. The device has one or more 
SorsTSphysical attacks^ an adversary trying to gain access to the stored information » 
which case the stored sensitive data is immediately destroyed. (Longley; 
Tamper resistant software resists observation and modification." Aucsmith, D., Tamper Resistant 
Software, 1 B Workshop on Information Hiding, May 30, 1996. ^ 



Intrinsic: 



Provides non-repudiation of use and may record specific forms of use such as viewing, edrtmg, 
ex3L 2g redistributing (including to what one or more parties), and/or saving. 

^Teneral, VDE enables parties that (a) have rights in electronic information, and/or (b) act as 
dSeftTfadirect agents to pries who have rights in electronic information, to ensure that the 
£££ acce7sing S modifyiJg, or otherwise using of information can be * 
rules regarding how, when, where, and by whom such activities can be performed. (193 6.24-30) 
™ S r e orTo 6 f tte back up files may be packaged within an administrative object and transmitted 

r££K3^2^ of re.rds, documents, and notes 

acce* 3 other use. The one or more authorized users who have received an objert are the only 
who may open that object and view and/or manipulate and/o "^J^* ~ 
Ld VDE secure auditing ensures a record of all such user content activit.es. 193 277. 
^These appliances typically include a secure subsystem that can enable control of content use such 
as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 

distribution and/or other usage of electronically provided and/or stored informal. ( 193 9.36- 

"As a result, VDE supports most types of electronic information and/or appliance: usage control 
(tacludtag distribution), security, usage auditing, reporting, other adm.nistrat.on, and payment 

and may record specif, forms of use such as viewing^editing, 
extracting, copyW redistributing (including to what one or more part.es), and/or saving. 
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Content (executables for example) delivered with proof of delivery and/or execution or other use. 
"In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as 
direct or indirect agents for parties who have rights in electronic information, to ensure that the 
moving, accessing, modifying, or otherwise using of information can be securely controlled by 
rules regarding how, when, where, and by whom such activities can be performed" ('193 6:24-31) 
"Some or all of the back up files may be packaged within an administrative object and transmitted 
for analysis, transportation, or other uses." ('193 6:24-) 

"Thus wrapped, a VDE object may be distributed to the recipient without fear of unauthorized 
access and/or other use. The one or more authorized users who have received an object are the only 
parties who may open that object and view and/or manipulate and/or otherwise modify its contents 
and VDE secure auditing ensures a record of all such user content activities." ('193 277: 15-2 1) 
"These appliances typically include a secure subsystem that can enable control of content use such 
as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
distributing, auditing usage, etc". ('193 9:24-27) 

"VDE provides a secure, distributed electronic transaction management system for controlling the 
distribution and/or other usage of electronically provided and/or stored information." ('193 9:36- 
39) 

- "As a result, VDE supports most types of electronic information and/or appliance: usage control 
(including distribution), security, usage auditing, reporting, other administration, and payment 
arrangements." (' 1 93 1 3 :50-53) 

"SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security 
barrier 502 separates the secure environment 503 from the rest of the world. It prevents 
information and processes within the secure environment 503 from being observed, interfered with 
and leaving except under appropriate secure conditions. Barrier 502 also controls external access to 
secure resources, processes and information within SPU 500. In one example, tamper resistant 
security barrier 502 is formed by security features such as "encryption," and hardware that detects 
tampering and/or destroys sensitive information within secure environment 503 when tampering is 
detected. ('193 59:48-59) 

"Once the information is downloaded, the now-initialized PPE 650 can discard (or simply not use) 
the manufacturing key." (' 1 93 2 1 2:57-59) 

Extrinsic: 

User A person using a InterTrust node to perform some function (i.e., acting in some role). A user is 
identified with respect to the node by a user ID. (ITG, 5/12/95, IT00028300) 

User ID: Locally to a InterTrust node, each InterTrust user has an ID associated with a user name and 
authentication (e.g., password). In some deployments, there may be only one user, and access to the 
machine may be considered sufficient authentication; in such cases, the user ID concept may not be 
visible to the user even though it is present in the implementation. (ITG, 5/12/95, IT00028301) 

Use: To use an object is to access the content. This involves the processes of controlling and metering 
" the use of the property and creating audit trail records on the use. (VDE ROI DEVICE v 1.0a 9 Feb 
1994, IT00008570) 


user controls 
683.2 


Intrinsic: 

"PPE 650 may perform various tests on the inputted item and/or other results of the user interaction 
provided by block 4512E in accordance with one or more user controls." ( l 683 39:19-21) 
('193 26:39-67) 

. "support user interaction through: ...(c) VDE aware applications which, as a result of the use of a VDE 
API and/or a transaction management (for example, ROS based) programming language embeds VDE 
"awareness" into commercial or internal software (application programs, games, etc.) so that VDE user 
control information and services are seamlessly integrated into such software .... For example, in a 
VDE aware word processor application, a user may be able to "print" a document into a VDE content 
container object, applying specific control information by selecting from amongst a series of different 
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menu templates for different purposes (for example, a confidential memo template for internal 
organization purposes may restrict the ability to "keep," that is to make an electronic copy of the 
memo)." 0 193 26:39) 

Extrinsic: 

Control: A business rule that governs the use of content (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element The term control can apply 

to either a control program or a control set (ITG, 1997-2000, ML00012D) 

Control: * Control Elemenr. A data structure that giverns {sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). ^Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter; a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/1995, 
IT007096 1 8, see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node.QTG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT00032373, TD00068B) 

User A person using a InterTrust node to perform some function (i.e., acting in some role). A user is 
identified with respect to the node by a user ID. (ITG, 5/12/95, IT00028300) 

User ID: Locally to a InterTrust node, each InterTrust user has an ID associated with a user name and 
authentication (e.g., password). In some deployments, there may be only one user, and access to the 
machine may be considered sufficient authentication; in such cases, the user ID concept may not be 
visible to the user even though it is present in the implementation. (ITG, 5/12/95, IT00028301) 

Extrinsic: 

User 1 . A person who requires the services oi a computing system. ^. /\ny pen>on ur any umig mm 
may issue or receive commands and messages to or from the information processing system. (IBM) 

User. 1 . In communications security, any person who interacts directly with a network system. 
4. In computer security, people who can access an A1S either by direct connections or indirect 
connections. (Longley) 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions.(IBM) 


validity 
912.8 


Intrinsic: 

- "One of the functions SPU 500 may perform is to validate/authenticate VDE objects 300 and other 
items. Validation/authentication often involves comparing long data strings to determine whether they 
compare in a predetermined way." ('193 67:56-60) 

- ('193 73:24-25); ('19373:26); ('193 78:6-17); ('193 87:47-55); ('193 112:46-61); ('193 210:28- 
35) 

Extrinsic: 

Validation: 1 . In Cryptography, the process of checking the data integrity of a message, or selected 
parts of a message. (Longley) 

Validity Check: The process of analyzing data to determine whether it conforms to predetermined 
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completeness and consistency parameters. (Microsoft Computer Dictionary, 3 ro ed. 1997) 
"Validate - resolve references to other objects, check 'parameters'" (IT00051955) 


Virtual 

distribution 

environment 

900.155 


Intrinsic: 

'193 203:58-67; M93 2:22 through conclusion of Background and Summary 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 

See 900.155 for Prosecution History limitations. 

"With respect to the remaining issues, Applicants respectfully disagree. For example, the 
Examiner objects to the use of "environment" as indefinite and unclear. This word, however, is not 
used in isolation, but rather in the context of several longer phrases, all of which are defined in the 
specification.. The phrase "protected processing environment," for example, is used in Claims 1 1 and 
15-18 and described on at least, for example, pages 7-8 and 25 of the specification. The term "virtual 
distribution environment" used in Claim 1 1 is described, for example, on page 7 of the specification. 
The terms are also described in the commonly copending application Serial Number 08/388,107 of 
Ginter et al., filed 13 February 1995, entitled "System and Methods for Secure Transaction 
Management and Electronic Rights Protection." A copy of the incorporated Ginter application can be 
provided to the Examiner upon request." 

(pg. 13-14) (pages 7, 7-8 and 25 of the original specification are '721 2:62-3:13, 2:62-3:34 and 8:6-28 
of the issued patent) 

08/689,754 ('721), Amendment, 04/14/99, p. 13 

- VDE supports a model wide, distributed security implementation which creates a single secure 
"virtual" transaction processing and information storage environment. VDE enables distributed VDE 
installations to securely store and communicate information and remotely control the execution 
processes and the character of use of electronic information at other VDE installations and in a wide 
variety of ways; ('193 21:57-65) 

- The rights protection problems solved by the present invention are electronic versions of basic 
societal issues. These issues include protecting property rights, protecting privacy rights, properly 
compensating people and organizations for their work and risk, protecting money and credit, and 
generally protecting the security of information. (' 1 93 4:8- 13) 

- The present invention provides a new kind of "virtual distribution environment" (called "VDE" in this 
document) that secures, administers, and audits electronic information use. ("193 2:24-27) 

- A fundamental problem for electronic content providers is extending their ability to control the use of 
proprietary information. Content providers often need to limit use to authorized activities and amounts. 
Participants in a business model involving, for example, provision of movies and advertising on optical 
discs may include'actors, directors, script and other writers/musicians, studios, publishers, distributors, 
retailers, advertisers, credit card services, and content end-users. These participants need the ability to 
embody their range of agreements and requirements, including use limitations, into an "extended" 
agreement comprising an overall electronic business model. This extended agreement is represented by 
electronic content control information that can automatically enforce agreed upon rights and 
obligations. Under VDE, such an extended agreement may comprise an electronic contract involving all 
business model participants. Such an agreement may alternatively, or in addition, be made up of 
electronic agreements between subsets of the business model participants. Through the use of VDE, 
electronic commerce can function in the same way as traditional commerce-that is commercial 
relationships regarding products and services can be shaped through the negotiation of one or more 
agreements between a variety of parties. ('193 2:37-60) 

- "Protecting the rights of electronic community members involves a broad range of technologies. 
VDE combines these technologies in a way that creates a "distributed" electronic rights protection 
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"environment" This environment secures and protects transactions and other processes important for 
rights protection. VDE, for example, provides the ability to prevent, or impede, interference with and/or 
observation of, important rights related transactions and processes." (*193 3:63-4:3) 

- "VDE is a cost-effective and efficient rights protection solution that provides a unified, consistent 
system for securing and managing transaction processing. VDE can: (a) audit and analyze the use of 
content, (b) ensure that content is used only in authorized ways, and (c) allow information regarding 
content usage to be used only in ways approved by content users." ('193 4:48-55) 

- In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct 
or indirect agents for parties who have rights in electronic information, to ensure that the moving, 
accessing, modifying, or otherwise using of information can be securely controlled by rules regarding 
how, when, where, and by whom such activities can be performed. ('193 6:24-30) 

- U A variety of capabilities are required to implement an electronic commerce environment VDE is 
the first system that provides many of these capabilities and therefore solves fundamental problems 
related to electronic dissemination of information." ('193 8:16-20) 

- VDE offers an architecture that avoids reflecting specific distribution biases, administrative and 
control perspectives, and content types. Instead, VDE provides a broad-spectrum, fundamentally * 
configurable and portable, electronic transaction control, distributing, usage, auditing, reporting, and 
payment operating environment VDE is not limited to being an application or application specific 
toolset mat covers only a limited subset of electronic interaction activities and participants. Rather, 
VDE supports systems by which such applications can be created, modified, and/or reused. As a result, 
the present invention answers pressing, unsolved needs by offering a system that supports a 
standardized control environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic commerce applications and 
models through the use of a programmable, secure electronic transactions management foundation and 
reusable and extensible executable components. VDE can support a single electronic "world" within 
which most forms of electronic transaction activities can be managed. ('193 8:53-9:5) 

- "VDE can securely manage the integration of control information provided by two or more parties. 
As a result, VDE can construct an electronic agreement between VDE participants that represent a 
"negotiation" between, the control requirements of, two or more parties and enacts terms and conditions 
of a resulting agreement VDE ensures the rights of each party to an electronic agreement regarding a 
wide range of electronic activities related to electronic information and/or appliance usage." ('193 9:52- 
61) 

. ""Hardware" 506 also contains long-term and short-term memories to store information securely so it 
can't be tampered with." ('193 60:1-3) 

- VDE prevents many forms of unauthorized use of electronic information, by controlling and auditing 
(and other administration of use) electronically stored and/or disseminated information. (*193 11 :60-63) 

- Together, these VDE components comprise a secure, virtual, distributed content and/or appliance 
control, auditing (and other administration), reporting, and payment environment. (* 193 13:14-17) 

- VDE can securely deliver information from one party to another concerning the use of commercially 
distributed electronic content Even if parties are separated by several "steps" in a chain (pathway) of 
handling for such content usage information, such information is protected by VDE through encryption 
and/or other secure processing. Because of that protection, the accuracy of such information is 
guaranteed by VDE, and the information can be trusted by all parties to whom it is delivered. ('193 
14:31-39) 

- VDE allows the needs of electronic commerce participants to be served and it can bind such 
participants together in a universe wide, trusted commercial network that can be secure enough to 
support very large amounts of commerce. VDE's security and metering secure subsystem core will be 
present at all physical locations where VDE related content is (a) assigned usage related control 
information (rules and mediating data), and/or (b) used. This core can perform security and auditing 
functions (including metering) that operate within a "virtual black box," a collection of distributed, very 
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secure VDE related hardware instances that are interconnected by secured information exchange (for 
example, telecommunication) processes and distributed database means. (M93 15:14-27) 

- VDE provides organization, community, and/or universe wide secure environments whose integrity is 
assured by processes securely controlled in VDE participant user installations (nodes). ('193 20:48-51) 

- - "Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention: VDE employs a variety of capabilities that serve as a foundation for a general purpose, 
sufficiently secure distributed electronic commerce solution. VDE enables an electronic commerce 
marketplace that supports divergent, competitive business partnerships, agreements, and evolving 
overall business models. For example, ... "employ "templates" to ease the process of configuring 
capabilities of the present invention as they relate to specific industries or businesses. ...Given the very 
large range of capabilities and configurations supported by the present invention, reducing the range of 
configuration opportunities to a manageable subset particularly appropriate for a given business model 
allows the full configurable power of the present invention to be easily employed by "typical" users 
who would be otherwise burdened with complex programming and/or configuration design 
responsibilities template applications can also help ensure that VDE related processes are secure and 
optimally bug free by reducing the risks associated with the contribution of independently developed 
load modules, including unpredictable aspects of code interaction between independent modules and 

applications, as well as security risks associated with possible presence of viruses in such modules 

As the context surrounding these templates changes or evolves, template applications provided under 
the present invention may be modified to meet these changes for broad use, or for more focused 
activities. ... Of course, templates may, under certain circumstances have fixed control information and 
not provide for user selections or parameter data entry." ('193 21:43-53 27:1-28:18) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, ... provide mechanisms to persistently maintain trusted content usage and 
reporting control information through both a sufficiently secure chain of handling of content and 
content control information and through various forms of usage of such content wherein said 
persistence of control may survive such use. Persistence of control includes the ability to extract 
information from a VDE container object by creating a new container whose contents are at least in part 
secured and that contains both the extracted content and at least a portion of the control information 
which control information of the original container and/or are at least in part produced by control 
information of the original container for this purpose and/or VDE installation control information 
stipulates should persist and/or control usage of content in the newly formed container. Such control 
information can continue to manage usage of container content if the container is "embedded" into 
another VDE managed object, such as an object which contains plural embedded VDE containers, each 
of which contains content derived (extracted) from a different source." (*193 21:43-53 28:45-65) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention.... Interoperability is fundamental to efficient electronic commerce. The design of the VDE 
foundation, VDE load modules, and VDE containers, are important features that enable the VDE node 
operating environment to be compatible with a very broad range of electronic appliances. (?193;21 : :43- 
45 34:25-30) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
securely support electronic currency and credit usage control, storage, and communication at, and 
between, VDE installations. (03M#%#5\ 3 6:49-51) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
requiring reporting and payment compliance by employing exhaustion of budgets and time ageing of 
keys. ^93:^1:43-45 40:8-9) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
Because of the VDE security, including use of effective encryption, authentication, digital signaturing, 
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and secure database structure, the records co ntained within a VDE card anangement may oe^ieo 
as valid transaction records for government and/or corporate recordkeeping requirements. m?Mi& 
45 41:37-42) 

- Since all secure communications are at least in part encrypted and the processing inside the secure 
subsystem is concealed from outside observation and interference, the present invention ensures that 
content control information can be enforced. 01 93 46:4-8) 

. An important feature of VDE is that it can be used to assure the administration of, and adequacy of 
security and rights protection for, electronic agreements implemented through the use of the present 
invention. ('193 46:51-54) 

- These are merely a few simple examples demonstrating the importance of ROS 602 ensuring that 
certaL component assemblies 690 are formed in a secure manner. ROS 602 provides a wide range of 
protections against a wide range of "threats" to the secure handling and execution of component 
assemblies 690. ('193 85:15-20) 

. VDE further enables this-process by providing a secure execution space : in which ^ negotiation 
processes) are assured of integrity and confidentiality in their operation. ( 1 93 245:20-22) 

- "Taken together, and employed at times with VDE administrative objects and VDE security 
arrangement and processes, the present invention truly achieves a content ^J^^« 
architecture that can be configured to most any commercial distribution embodiment ( 193 261.10- 

- For example, VDE 100 positively controls content access and usage, provide* guarantee of payment 
for content used, and enforces budget limits for accessed content ( 193 240:53-56) 

- Such metering is a flexible basis for ensuring payment for content royalties, licensing, purchasing, 
and/or advertising. ("193 33:56-58) 

- The overall integrity and security of VDE 100 could ensure, in a coherent and centralized manner, that 
electronic reporting of tax related information (derived from one or more electrons commerce 
activities) would be valid and comprehensive. ('193 237:47-51) 

- Distributors 106 and financial clearinghouses 1 16 may themselves be audited based on secure records 
o tS administrative activities and a chain of reliable, "trusted' 'processes ensures Aemtegnty of the 
overall digital distribution process. This allows content owners, for example, to venfy that they are 
Sing appropriate compensation based on actual content usage or other agreed-upon bases. ( 193 
254:66-255:5) 

- Because the control information is carried with each copy of a VDE protected document, and can 
ensure that central registries are updated and/or that originators are notified of document use, tracking 
can be prompt and accurate. ('193 281:14-16) 

- A final desirable feature of agreements in general (and electronic representations of agreements in 
canicular) is that they be accurately recorded in a non-repudiatable form. In traditional terms, tnis 
Evolves creating a paper document (a contract) that describes the rights, resections, and obhgations of 
all parties involved. This document is read and then signed by all part.es as being an _ accurate 
representation of the agreement Electronic agreements, by their nature, may not be uima ly rendered in 

VDE enables such agreements to be accurately electronically described and then electron.cally 
signed to prevent repudiation. 0193 245:25-35) 

- As discussed above, a wide variety of techniques are currently being used to provide secure, trusted 
confidential delivery of documents and other items. Unfortunately, none of these previously existing 
mechanisms provide truly trusted, virtually instantaneous delivery on a cost-effective, convenient basis 
and none provide rights management and auditing through persistent, secure, digital information 

taconSa, the present inventions provide the trustedness, confidentiality and security of a personal 
trusted courier on a virtually instantaneous and highly cost-effective basis. They provide techniques, 
systems and methods that can being to any form of electronic communications (including, but not 
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limited to Internet and internal company electronic mail) an extremely high degree of trustedness, 
confidence and security approaching or exceeding that provided by a trusted personal courier. They also 
provide a wide variety of benefits that flow from rights management and secure chain of handling and 
control. ('683 5:20) 

- The Virtual Distribution Environment provides comprehensive overall systems, and wide arrays of 
methods, techniques, structures and arrangements, that enable secure, efficient electronic commerce and 
rights management on the Internet and other information superhighways and on internal corporate 
networks such as "Intranets". (*683 5:41) 

- "parties using the Virtual Distribution Environment can participate in commerce and other 
transactions in accordance with a persistent set of rules they electronically define." ('683 6:1 1) 

- "All of these various coordination steps can be performed nearly simultaneously, efficiently, rapidly 
and with an extremely high degree of trustedness based on the user of electronic containers 302 and the 
secure communications, authentication, notarization and archiving techniques provided in accordance 
with the present inventions " (*683 .55:54) 

- "People art increasingly using secure digital containers to safely and securely store and transport 
digital content One secure digital container model is the "DigiBox.TM." container developed by 
InterTrust Technologies, Inc. of Sunnyvale, Calif. The Ginter et al. patent specification referenced 
above describes many characteristics of this DigiBox.TM. container model— a powerful, flexible, 
general construct that enables protected, efficient and interoperable electronic description and regulation 
of electronic commerce relationship of all kinds, including the secure transport, storage and rights 
management interface with objects and digital information within such containers." ('861 1:35) 

- "Briefly, DigiBox containers are tamper-resistant digital containers that can be used to package any 
kind of digital information such as, for example, text, graphics, executable software, audio and/or video. 
The rights management environment in which DigiBox-TM. containers are used allows commerce 
participants to associate rules with the digital information (content). The rights management 
environment also allows rules (herein including rules and parameter data controls) to be securely 
associated with other rights management information, such as for example, rules, audit records created 
during use of digital information and administrative information associated with keeping the 
environment working properly, including ensuring rights and any agreements among parties. The 
DigiBox-TM.. electronic container can be used to store, transport and provide a rights management 
interfaces to digital information, related rules and other rights management information, as well as to 
other objects and/or data within a distributed, rights management environment This arrangement can 
be used to provide electronically enforced chain of handling and control wherein rights management 
persists as a container moves from one entity to another. This capability helps support a digital rights 
management architecture that allows content rightsholders (including any parties who have system 
authorized interests related to such content, such as content republishes or even governmental 
authorities) to securely control and manage content, events, transactions, rules and usage consequences, 
including any required payment and/or usage reporting. This secure control and management continues 
persistently, protecting rights as content is delivered to, used by, and passed among creators, 
distributors, repurposes, consumers, payment disagregators, and other value chain participants... n 
('861 1:47) 

- "Use of a secure electronic container containers to transport items providers an unprecedented degree 
of security, trustedness and flexibility." ('683 8:50) 

- "Virtual distribution environment 100 is "virtual'* because it does not require many of the physical 
'^things" that used to be necessary to protect rights, ensure reliable and predictable distribution, and 
ensure proper compensation to content creators and distributors." (M93 53:23-27) 

- VDE allows the needs of electronic commerce participants, to be served and it can bind such 
participants together in a universe wide, trusted commercial network that can be secure enough to 
support very large amounts of commerce. VDE's security and metering secure subsystem core will be 
present all physical locations where VDE related contents is (a) assigned usage related control 
information (rules and mediating data), and/or (b) used. This core can perform security and auditing 
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functions (including metering) that operate within a "virtual black box"" a collection of distributed, 
very secure VDE related hardware instances that are interconnected by secured information exchange 
(for example, telecommunication) processes and distributed database means. ('193 15:14-27) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention 
...VDE employs special purpose hardware distributed throughout some or all locations of a VDE 
implementation: a) said hardware controlling important elements of: content preparation (such as 
causing such content to be placed in a VDE content container and associating content control 
information with said content), content and/or electronic appliance usage auditing, content usage 
analysis, as well as content usage control; and b) said hardware having been designed to securely 
handle processing load module control activities, wherein said control processing activities may involve 
a sequence of required control factors" ('193 21:43-45 2220-31) 

- Physical facility and user identity authentication security procedures may be used instead of hardware 
SPUs at certain nodes, such as at an established financial clearinghouse, where such procedures may 
provide sufficient security for trusted interoperability with a VDE arrangement employing hardware 
SPUs at user nodes. 0193 45:60-65) 

- An important part of VDE provided by the present invention is the core secure transaction control 
arrangement, herein called an SPU (or SPUs), that typically must be present in each user's computer, 
other electronic appliance, or network. SPUs provide a trusted environment for generating decryption 
keys, encrypting and decrypting information, managing the secure communication of keys and other 
information between electronic appliances (i.e. between VDE installations and/or between plural VDE 
instances within a single VDE installation), securely accumulating and managing audit trail, reporting, 
and budget information in secure and/or non-secure non-volatile memory, maintaining a secure 
database of control information management instructions, and providing a secure environment for 
performing certain other control and administrative functions. ('193 48:66-49:14) 

- A hardware SPU (rather than a software emulation) within a VDE node is necessary if a highly trusted 
environment for performing certain VDE activities is required. (' 1 93 49: 1 5- 1 7) 

- ""Hardware" 506 also contains long-term and short-term memories to store information securely so it 
can't be tampered with." C193 60:1-3) 

- A VDE node's hardware SPU is a core component of a VDE secure subsystem and may employ some 
or all of an electronic appliance's primary control logic, such as a microcontroller, microcomputer or 
other CPU arrangement This primary control logic may be otherwise employed for non VDE purposes 
such as the control of some or all of an electronic appliance's non-VDE functions. When operating in a 
hardware SPU mode, said primary control logic must be sufficiently secure so as to protect and conceal 
important VDE processes. For example, a hardware SPU may employ a host electronic appliance 
microcomputer operating in protected mode while performing VDE related activities, thus allowing 
portions of VDE processes to execute with a certain degree of security. ('193 49:33-46) 

- As shown FIG. 6, in the preferred embodiment, an SPU 500 may be implemented as a single 
integrated circuit "chip" 505 to provide a secure processing environment in which confidential and/or 
commercially valuable information can be safely processed, encrypted and/or decrypted. ('193 63:48- 
52) 

"SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security barrier 
502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes witnin tne secure environment juj iorni Dcmg uoscrvccL, micj icrcu wiui aim leaving except 
under appropriate secure conditions. Barrier 502 also controls external access to secure resources, 
processes and information within SPU 500. In one example, tamper resistant security barrier 502 is 
formed by security features such as "encryption," and hardware that detects tampering and/or destroys 
sensitive information within secure environment 503 when tampering is detected." (M93 59:48-59) 

- "SPU 500 may be surrounded by a tamper-resistant hardware security barrier 502. Part of this 
security barrier 502 is formed by a plastic or other package in which an SPU "die" is encased. Because 
the processing occurring within, and information stored by, SPU 500 are not easily accessible to the 
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outside world, they are relatively secure from unauthorized access and tampering. All signals cross 
barrier 502 through a secure, controlled path provided by BIU 530 that restricts the outside world's 
access to the internal components within SPU 500. The secure, controlled path resists attempts form 
the outside world to access secret information and resources within SPU 500." ('193 63:60-64:5) 

- Regulation is ensured by control information put in place by one or more parties. 093 6:34-35) 

-"Limited only by the VDE control information employed by content creators, other providers, and 
other pathway of handling and control participants, VDE allows a "natural" and unhindered flow of; and 
creation of; electronic content product models." ( 4 193 297:25-29) 

- As a result, the present invention answers pressing, unsolved needs by offering a system that supports 
a standardized control environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic commerce applications and 
models through the use of a programmable, secure electronic transactions management foundation and 
reusable and extensible executable components. ('193 8:62-9:3) 

- Independently, securely deliverable, component based control information allows efficient interaction 
among control information sets supplied by different parties. CI 93 10:46-48) 

- A significant facet of the present invention's ability to broadly support electronic commerce is its 
ability to securely manage independently delivered VDE component objects containing control 
information (normally in the form of VDE objects containing one or more methods, data, or load 
module VDE components). This independently delivered control information can be integrated with 
senior and other pre-existing content control information to securely form derived control information 
using the negotiation mechanisms of the present invention. All requirements specified by this derived 
control information must be satisfied before VDE controlled content can be accessed or otherwise used. 
This means that, for example, all load modules and any mediating data which are listed by the derived 
control information as required.must be available and securely perform their required function. (' 193 
30:66-11:14) 

- Content control information governs content usage according to criteria set by holders of rights to an 
object's contents and/or according to parties who otherwise have rights associated with distributing such 
content (such as governments, financial credit providers, and users). (* 193 15:46-50) 

- In part, security is enhanced by object methods employed by the present invention because the 
encryption schemes used to protect an object can efficiently be further used to protect the associated 
content control information (software control information and relevant data) from modification. ('193 
15:51-55) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
Content users, such as end-user customers using commercially distributed content (games, information 
resources, software programs, etc.), can define, if allowed by senior control information, budgets, 
and/or other control information, to manage their own internal use of content. (^93^21^3,-45 29:3-8) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
support the separation of fundamental transaction control processes through the use of event (triggered) 
based method control mechanisms. These event methods trigger one or more other VDE methods 
(which are available to a secure VDE sub-system) and are used to carry out VDE managed transaction 
related processing. These triggered methods include independently (separably) and securely 
processable component billing management methods, budgeting management methods, metering 
management methods, and related auditing management processes. As a result of this feature of the 
present invention, independent triggering of metering, auditing, billing, and budgeting methods, the 
present invention is able to efficiently, concurrently support multiple financial currencies (e.g. dollars, 
marks, yen) and content related budgets, and/or billing increments as well as very flexible content 
distribution models. ('193 2g43-45 42:21-38) 

- support, complete, modular separation of the control structures related to (1) content event triggering, 
(2) auditing, (3) budgeting (including specifying no right of use or unlimited right of use), (4) billing, 
and (5) user identity (VDE installation, client name, department, network, and/or user, etc.). The 
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independence of these VDE control structures provides a flexible system which allows plural 
relationships between two or more of these structures, for example, the ability to associate a financial 
budget with different event trigger structures (that are put in place to enable controlling content based 
on its logical portions). Without such separation between these basic VDE capabilities, it would be 
more difficult to efficiently maintain separate metering, budgeting, identification, anoVor billing 
activities which involve the same, differing (including overlapping), or entirely different, portions of 
content for metering, billing, budgeting, and user identification, for example, paying fees associated 
with usage of content, performing home banking, managing advertising services, etc. VDE modular 
separation of these basic capabilities supports the programming of plural, "arbitrary" relationships 
between one or differing content portions (and/or portion units) and budgeting, auditing, and/or billing 
control information. ('193 42:39-63) 

- The virtual distribution environment 100 prevents use of protected information except as permitted by 
the "rules and controls" (control information). For example, the "rules and controls" shown in FIG. 2 
may grant specific individuals or classes of content users 1 12 "permission" to use certain content They 
may specify what kinds of content usage are permitted, and what kinds are not They may specify how 
content usage is to be paid for and how much it costs. As another example, "rules and controls" may 
require content usage information to be reported back to the distributor 106 and/or content creator 102. 
(■193 56:26-35) 

- "ROS VDE functions 604 may be based on segmented, independently loadable executable 
"component assemblies" 690. These component assemblies 690 are independently securely deliverable. 
The component assemblies 690 provided by the preferred embodiment comprise code and data 
elements that are themselves independently deliverable.... These component assemblies 690 are the 
basic functional unit provided by ROS 602. The component assemblies 690 are executed to perform 
operating system or application tasks. Thus, some component assemblies 690 may be considered to be 
part of the ROS operating system 602, while other component assemblies may be considered to be 
"applications" that run under the support of the operating system." (' 193 83: 12-29) 

- "As mentioned above, ROS 602 provides several layers of security to ensure the security of 
component assemblies 690. One important security layer involves ensuring that certain component 
assemblies 690 are formed, loaded and executed only in secure execution space such as provided within 
an SPU 500." (M93 8733-38) 

- "Methods 1000 perform the basic function of defining what users (including, where appropriate, 
distributions, client administration, etc.), can and cannot do with an object 300." (* 193 128:36-33) 

- "Container 152 in this example further includes an electronic control set 188 describing conditions 
under which the power may be exercised Controls 188 define the power(s) granted to each of the 
participants - including (in this example) conditions or limitations for exercising these powers. 
Controls 188 may provide the same powers and/or conditions of use for each participant, or they may 
provide different powers and/or conditions of use for each participant" ('712 220: 1-8) 

- "...content creators and rights owners can register permissions with the rights and permissions 
clearinghouses 400 in the form of electronic "control sets." These permissions can specify what 
consumers can and can't do with digital properties, under what conditions the permissions can be 
exercised and the consequences of exercising the permissions." ('712 72:2-7) 

- "This "channel 0" "open channel" task may then issue a series of requests to secure database manager 

566 to obtain the "blueprint" for constructing one or more component assemblies 690 to be 
associated with channel 594 (block 1 127). In the preferred embodiment, this "blueprint" may 
comprise a PERC 808 and/or URT 464." C 193 1 12:46-51) 

- In part, security is enhanced by object methods employed by the present invention because the 
encryption schemes used to protect an object can efficiently be further used to protect the associated 
content control information (software control information and relevant data) from modification. (* 193 
15:51-55) 

- FIG. 5 A shows how the virtual distribution environment 300, in a preferred embodiment, may 
package information elements (content) into a "container" 302 so the information can't be accessed 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 58 of 100 




Claim Term 


MS Construction 




except as provided by its "rules and controls." Normally, the container 302 is electronic rather than 
physical. Electronic container 302 in one example comprises "digital* information having a well 
defined structure. Container 302 and its contents can be called an "object 300." 093 58:39-46) 

- "Moreover, when any new VDE object 300 arrives at an electronic appliance 600, the electronic 
appliance must "register" the object within object registry 450 so that it can be accessed." (*1 93 153:56- 
59) 

- "Even if the object is stored locally to the VDE node, it may be stored as a secure or protected object 
so that it is not directly accessible to a calling process. ACCESS method 2000 establishes the 
connections, routings, and security requisites needed to access the object" ('193 192:14-19) 

- "ACCESS method 2000 reads the ACCESS method MDE from the secure database, reads it in 
accordance with the ACCESS method DTD, and loads encrypted content source and routing 
information based on the MDE (blocks 2010, 2012). This source and routing information specifies the 
location of the encrypted content ACCESS method 2000 then determines whether a connection to the 
content is available (decision block 2014). This "connection" could be, for example, an on-line 
connection to a remote site, a real-time information feed, or a path to a secure/protected resource, for 
example. If the connections the content is not currently available ("No" exit of decision block 2014), 
then ACCESS method 2000 takes steps to open the connection (block 2016). If the connection fails 
(e.g., because the user is not authorized to access a protected secure resource), then the ACCESS 
method 2000 returns with a failure indication (termination point 2018)." (* 193 192:36-52) 

- "It also employs a software object architecture for VDE content containers that carries protected 
content and may also carry both freely available information (e.g., summary, table of contents) and 
secured content control information which ensures the performance of control information." CI 93 
15:41-46) 

- "In this example, creator 1 02 may employ one or more application software programs and one or 
more VDE secure subsystems to place unencrypted content into VDE protected form (i.e., into one or 
more VDE content containers)." (' 1 93 3 15:53-56) 

- "The Ginter et al. patent specification referenced above describes many characteristics of this 
DigiBox™ container model, a powerful, flexible, general construct that enables protected, efficient and 
interoperable electronic description and regulation of electronic commerce relationships of all kinds..." 
('861 1:39)] 

- "The node and container model described above and in the Ginter et al. patent specification (along 
with similar other DigiBox/VDE (Virtual Distribution Environment) models) has nearly limitless 
flexibility." ('861 2:37) 

- Therefore, the container creation and usage tools must themselves be secure in the sense that they 
must protect certain details about the container design. This additional security requirement can make it 
even more difficult to make containers easy to use and to provide interoperability. ('861 4:59) 

- "FIG. 88 illustrates secure electronic container 302 as an attache* handcuffed to the secure delivery 
person's wrist. Once again, container is shown as a physical thing for purposes of illustrations only -in 
the example it is preferably electronic rather than physical, and comprises digital information having a 
well-defined structure (see FIG. 5A). Special mathematical techniques known as "cryptography" can 
be used to make electronic container 302 secure so that only intended recipient 4056 can open the 
container and access the electronic document (or other items) 4054 it contains." ('683 15:61) 

- "Appliance 600B may deliver the digital copy of item 4054 within container 302 and/or protect the 
item with seals. Electronic fingerprints, watermarks and/.or other visible and/or hidden markings to 
provide a "virtual container or some of the security or other characteristics of a container (for example, 
the ability to associate electronic controls with the item). (*683 18:) 

. "For example, defendant's attorney 5052 can specify one container 302 for opening by his co- 
counsel, client or client in-house counsel, and program another container 302 for opening only by 
opposing (plaintiffs) counsel 5050. Because of the unique trustedness features provided by system 
4050, the defendant's attorney 5052 can have a high degree of trust and confidence that only the 
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authorized parties will be able to open the respective containers and access the information they 
contain." ('683 56:17) 

- "The "container* 1 concept is a convenient metaphor used to give a name to the collection of elements 
required to make use of content or to perform an administrative-type activity." C 193 127:30-32) 

- ''the virtual distribution environment 100. in a preferred embodiment, may package information 
elements (content) into a "container" 302 so the information can't be accessed except as provided by its 
"rules and controls."" ('193 58:39-43) 

. "VDE 100 provides a media independent container model for encapsulating content" (*193 127:2-3) 

- "The electronic form of a document is stored as a VDE container (object) associated with the specific 
client and/or case. The VDE container mechanism supports a hierarchical ordering scheme for 
organizing files and other information with a container, this mechanism may be used to organize the 
electronic copies of the documents within a container, A VDE container is associated with specific 
access control information and rights that are described in one or more permissions control information 
sets (PERCs) associated with that container. In this example, only those members of the law firm who 
possess a VDE instance, an appropriate PERC, and the VDE object that contains the desired document, 
may use the document" 0 1 93 274:52-64) 

- "The situation is no better for processing documents within the context of ordinary computer and 
network systems. Although said systems can enforce access control information based on user identity, 
and can provide auditing mechanism for tracking accesses to files, these are low-level mechanisms that 
do not permit tracking or controlling the flow of content In such systems, because document content 
can be freely copied and manipulated, it is not possible to determine where documents content has 
gone, or where it came from." ('193 281:27-35) 

- "Secure containers 302 may be used to encapsulate the video and audio being exchanged between 
electronic kiosk appliances 600, 600' to maintain confidentiality and ensure a high degree of 
trustedness. 

- "Because container 152 can only be opened within a secure protected processing environment 154 
that is part of the virtual distribution environment described in the above-referenced Ginter et al. patent 
disclosure" - "The present invention provides a new kind of "virtual distribution environment" (called 
"VDE" in this document) that secures, administers, and audits electronic information use. VDE also 
features fundamentally important capabilities for ..." ('193 2:24-28) 

-"the present invention truly achieves a content control and auditing architecture that can be configured 
to most any commercial distribution embodiment" ('193 261:12-15) 

-"The inability of conventional products to be shaped to the needs of electronic information providers 
and users is sharply in contrast to the present invention. Despite the attention devoted by a cross-section 
of America's largest telecommunications, computer, entertainment and information provider companies 
to some of the problems addressed by the present invention, only the present invention provides 
commercially secure, effective solutions for configurable, general purpose electronic commerce 
transaction/distribution control systems." ('193 2:13-22) 

-"The configurability provided by the present invention is particularly critical for supporting electronic 
commerce, that is enabling businesses to create relationships and evolve strategies that offer 
competitive value. Electronic commerce tools that are not inherently configurable and interoperable 
will ultimately fail to produce products (ana services,) inai meei ooxn oasic requirenieriLs ana evolving 
needs of most commerce applications." ('193 16:41-48) 

-"VDE also extends usage control information to an arbitrary granular level (as opposed to a file based 
level provided by traditional operating systems) and ..." ( l 193 275:8*1 1) 

-Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
...."('193 21:43-45) 

-"A significant facet of the present invention's ability to broadly support electronic commerce is its 
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ability to securely manage independently delivered VDE component objects containing control 
information ...." ('193 10:66-11:2) 

-"Some of the key factors contributing to the configurability mtrinsic to the present invention include: . 
...." CI 93 16:66-67) 

-"The scalable transaction management/auditing technology of the present invention will result in more 
efficient and reliable interoperability ..." ('193 34:9-11) 

-"the present invention answers pressing, unsolved needs by offering a system that supports a 
standardized control environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic commerce applications and 
models through the use of a programmable, secure electronic transactions management foundation and 
reusable and extensible executable components." C 193 8:63-9:3) 

-"Hie design of the VDE foundation, VDE load modules, and VDE containers, are important features 
that enable the VDE node operating environment to be compatible with a very broad range of electronic 
appliances." 0 193 34:26-30) 

-"The ability to optionally incorporate different methods 1000 with each object is important to making 
VDE 100 highly configurable." C 193 128:28-30) 

-"An important feature of VDE is that it can be used to assure the administration of, and adequacy of 
security and rights protection for, electronic agreements implemented through the use of the present 
invention." ( ( 712 168:22-25) 

-"In mis example, both the address request 602 and the responsive information 604 are contained within 
secure electronic containers 152 in order to maintain the confidentiality and integrity of the requests 
and responses. In this way, for example, outside eavesdroppers cannot tell who sender 95(1 ) wants. to 
communicate with or what information he or she needs to perform communications with or what 
information he or she needs to perform the communications - and the directory responses cannot be 
"spoofed" to direct the requested message to another location." ('712 12:15-22) 

Components: "On the other hand, if the information to be exchanged has already been secured and/or is 
available without authentication (e.g., certain catalog information, containers that have already been 
encrypted and do not require special handling, etc.), the "weaker" for of login/password may be used." 
C193 290:57-62) 

Components: "VDE provides means to securely combine content provided at different times, by 
differing sources, and/or representing different content types. These types, timings, and/or different 
sources of content can be employed to form a complex array of content within a VDE content container 
objects, each containing different content whose usage can be controlled, at least in part, by its own 
container's set of VDE content control information." ('193 397:35-) 

Container-Related Methods: "Although methods 1000 can have virtually unlimited variety and some 
may even be user-defined, certain basic "use" type methods are preferably used in the preferred 
embodiment to control most of the more fundamental object manipulation and other functions provided 
by VDE 100. For example, the following high level methods would typically be provided for object 
manipulation; OPEN method, READ method, WRITE method, CLOSE method. An OPEN method is 
used to control opening a container so its content may be accessed. A READ method is used to control 
access to contents in a container. A WRITE method is used to control the insertion of contents into a 
container. A CLOSE method is used to close a container that has been opened." ( l 1 93 183:12-29) 5 

- "DESTROY method 2180 removes the ability of a user to use an object by destroying the URTthe 
user requires to access the object In the preferred embodiment, .... DESTROY method 2 1 80 may than 
call a WRITE and/or ACCESS method to write information which will corrupt (and thus destroy) the 
header and/or other important parts of the object (block 21 86). DESTROY method 2180 may then 
mark one or more of the control structures (e.g., the URT) as damaged by writing appropriate 
information to control structure (blocks 2188, 2190)." (M93 198:41-45) 

- "PANIC method 2200 may prevent the user from further accessing the object currently being accessed 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 61 of 100 




Claim Term 


MS Construction 




by, for example, destroying the channel being used to access the object and marking one or more of the 
control structures (e.g., the URT) associated with the user and object as damaged.(blocks 2206, and 
2208-2210, respectively). Because the control structure is damaged, the VDE node will need to contact 
an administrator to obtain a valid control structure(s) before the user may access the same object 
again." (M 93 198:60-199:2) 

. "EXTRACT method 2080 is used to copy or remove content from an object and place it into a new 
object In the preferred embodiment, the EXTRACT method 2080 does not involve any release of 
content, but rather simply takes content from one container and places it into another container, both of 
which may be secure. Extraction of content differs from release in that the content is never exposed 
outside a secure container." ('193 394:13-20) 

- "Use of secure electronic containers to transport items provides an unprecedented degree of security, 
trustedness and flexibility." ('683 8:50) 

-"Electronic delivery person 4060 can deliver the electronic version of item 4054 within secure 
container attache case 302 from personal computer 41 16* to another personal computer 4116 operated 
by recipient 4056." ('683 20:27) 

- "Because these transactions are conducted using VDE and VDE secure containers, those observing 
the communications learn no more than the fact that the parties are communicating." ( l 712 3 10:1-3) 

- "VDE in one example provides a "virtual silicon container" ("virtual black box") in that several 
different instances of SPU 500 may securely communicate together to provide an overall secure 
hardware environment that "virtually" exists at multiple locations and multiple electronic appliances 
600. FIG. 87 shows one model 3600 of a virtual silicon container. This virtual container model 3600 
includes a content creator 102, a content distributor 106, one or more content redistributors 106a, one or 
more client administrators 700, one or more client users 3602, and one or more clearinghouses 116. 
Each of these various VDE participants has an electronic appliance 600 including a protected 
processing environment 655 that may comprise, at least in part, a silicon-based semiconductor 
hardware element secure processing unit 500. The various SOUs 500 each encapsulate a part of the 
virtual distribution environment, and thus, together form the virtual silicon container 3600." CI 93 
317:58-318:8) 

-"uses tools to transform digital inform ation(such as electronic books, databases, computer software 
and movies) into protected digital packages called "objects." Only those consumers (or other along the 
chain of possession such as redistributor) who receive permission from a distributor 106 can open these 
packages. VDE packaged content can be constrained by "rules and control information."" (* 193 
254:18-25) 

-"To open VDE package and make use of its content, and end-user must have permission." ( 4 193 
254:45-46) 

- "place unencrypted content into VDE protected form (i.e., into one or more VDE content containers)." 
('193 315:55-56) 

- "VDE can protect a collection of rights belonging to various parties having in rights in, or to, 
electronic information. This information may be at one location or dispersed across (and/or moving 
between) multiple locations. The information may pass through a "chain" of distributors and a "chain" 
of users. Usage information may also be reported through one or more "chains" of parties. In general, 
VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct or indirect 
agents for parties who have rights in electronic information, to ensure that the moving, accessing, 
modifying, or otherwise using of information can be securely controlled by rules regarding how, when, 
where, and by whom such activities can be performed." C 193 6:18-31) 

r All requirements specified by this derived control information must be satisfied before VDE 
controlled content can be accessed or otherwise used. ('193 11 :8-l 1) 

- "VDE provides important mechanisms for both enforcing commercial agreements and enabling the 
protection of privacy rights. VDE can securely deliver information from one parry to another 
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concerning the use of commercially distributed electronic content Even if parties are separated by 
several "steps" in a chain (pathway) of handling for such content usage information, such information 
is protected by VDE through encryption and/or other secure processing. Because of that protection, the 
accuracy of such information is guaranteed by VDE, and the information can be trusted by all parties 
to whom it is delivered." ( 4 193 1429-39) 

- VDE ensures that certain prerequisites necessary for a given transaction to occur are met This 
includes the secure execution of any required load modules and the availability of any required, 
associated data. ('193 20:27-30) 

- Required methods (methods listed as required for property and/or appliance use) must be available as 
specified if VDE controlled content (such as intellectual property distributed within a VDE content 
container) is to be used. ('193 43:37-41) 

- "Since all secure communications are at least in part encrypted and the processing inside the secure 
subsystem is concealed from outside observation and interference, the present invention ensures that 
content control information can be enforced. (*193 46:4-8) 

- This control information can determine, for example: 

(1) How and/or to whom electronic content can be provided, for example, how an electronic property 
can be distributed; 

(2) How one or more objects and/or properties, or portions of an object or property, can be directly 
used, such as decrypted, displayed, printed, etc; .... C 1 93 46: 1 7-24) 

""Hardware" 506 also contains long-term and short-term memories to store information securely so it 
cant be tampered with." CI 93 60: 1 -3) 

**A feature of VDE provided by the present invention is that certain one or more methods can be 
specified as required in order for a VDE installation and/or user to be able to use certain and/or all 
content ('193 43:47-50) 

The virtual distribution environment 100 prevents use of protected information except as permitted by 
the "rules and controls" (control information). ('193 56:26-28) 

- As mentioned above, virtual distribution environment 100 "associates" content with corresponding 
"rules and controls," and prevents the content from being used or accessed unless a set of corresponding 
"rules and controls" is available. The distributor 106 doesnt need to deliver content to control the 
contents distribution. The preferred embodiment can securely protect content by protecting 
corresponding, usage enabling "rules and controls" against unauthorized distribution and use. ('193 
57:18-26) 

- Since no one can use or access protected content without "permission" from corresponding "rules and 
controls," the distributor 106 can control use of content that has already been (or will in the future be) 
delivered. (*193 57:30-33) 

- SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security barrier 
502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 from being observed, interfered with and leaving except 
under appropriate secure conditions. Barrier 502 also controls external access to secure resources, 
processes and information within SPU 500. (*193 59:48-55) 

- Provides non-repudiation of use and may record specific forms of use such as viewing, editing, 
extracting, redistributing (including to what one or more parties), and/or saving. 

- In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct 
or indirect agents for parties who have rights in electronic information, to ensure that the moving, 
accessing, modifying, or otherwise using of information can be securely controlled by rules regarding 
how, when, where, and by whom such activities can be performed. ('193 6:24-30) 

- to securely control access and other use, including distribution of records, documents, and notes 
associated with the case, (' 193 274:34-36) 
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■ xbus wrapped, a VDE object may be distributed to the recipient without fear of unauthorized access 
and/or other use. C 193 277:16-17) 

- These appliances typically include a secure subsystem that can enable control of content use such as 
displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, distributing, 
auditing usage, etc.(* 193 9:24-27) 

- .VDE provides a secure, distributed electronic transaction management system for controlling the 
distribution and/or other usage of electronically provided and/or stored information. ('193 9:36-39) 

- "The doctor 5000 may then send container 301(1) to a trusted go-between 4700. ...For example, the 
trusted go-between 4700 in one example has no access to the content of the container 302(1), but does 
have a record of a seal of the contents." ('683 53:40) 

- "FIG. 1 1 6 shows example steps that may be performed by PPE 650 in response to an "open" or 
"view" event. In this example, PPE 650 may - - upon allowing recipient 4056 to actually interact with 
the item 4054-.. . PPE 650 may then release the image 40681 and/or the data 4068D to the application 
running on electronic appliance 600— electronic fingerprinting or watermarking the released content if 
appropriate (FIG. 116, block 4625C). ('683 42:38) 

- FIG. 5 A shows how the virtual distribution environment 100, in a preferred embodiment, may 
package information elements (content) into a "container" 302 so the information can't be accessed 
except as provided by its "rules and controls." £\93 58:39-43) 

- Each VDE participant in a VDE pathway of content control information may set methods for some or 
all of the content in a VDE container, so long as such control information does not conflict with senior 
control information already in place with respect to: 

( 1 ) certain or all VDE managed content, 

(2) certain one or more VDE users and/or groupings of users, 

(3) certain one or more VDE nodes and/or groupings of nodes, and/or 

(4) certain one or more VDE applications and/or arrangements. 093 44:6-17) 

- "All participants of VDE 100 have the innate ability to participate in any role." ('193 256:50-51) 

- "Any VDE user 1 12 may assign the right to process information or perform services on their behalf 
to the extend allowed by senior control information " (* 1 93 257 : 1 7-20) 

- "PERC and URT structures provide a mechanism that may be used to provide precise electronic 

representation of rights and the controls associated with those rights. VDE thus provides a 
'Vocabulary" and mechanism by which users and creators may specify their desires (' 1 93 
245:11-) 

- "VDE provides comprehensive and configurable transaction management, metering and monitoring 
technology." CI 93 3:34) 

- VDE may be combined with, or integrated into, many separate computers and/or other electronic 
appliances. These appliances typically include a secure subsystem that can enable control of content use 
such as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
distributing, auditing usage, etc. The secure subsystem in the preferred embodiment comprises one or 
more "protected processing environments", one or more secure databases, and secure "component 
assemblies" and other items and processes that need to be kept secured. VDE can, for example, securely 
control electronic currency, payments, and/or credit management (including electronic credit anoVor 
currency receipt, disbursement, encumbering, and/or allocation) using such a "secure subsystem." (' 193 
9:22) 

- "In addition VDE: 

(a) is very configurable, modifiable, and re-usable; 

(b) supports a wide range of useful capabilities that may be combined in different ways to 
accommodate most potential applications; 

(c) operates on a wide variety of electronic appliances ranging from hand-held inexpensive devices to 
large mainframe computers; 
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(d) is able to ensure the various rights of a number of different parties, and a number of different rights 
protection schemes, simultaneously; 

(e) is able to preserve the rights of parties through a series of transactions that may occur at different 
times and different locations; 

(f) is able to flexibly accommodate different ways of securely delivering information and reporting 
usage; and 

(g) provides for electronic analogues to "real" money and credit, including anonymous electronic cash, 
to pay for products and services and to support personal (including home) banking and other financial 
activities." ('193 4:57) 

- It can provide efficient, reusable, modifiable, and consistent means for secure electronic content; 
distribution, usage control, usage payment, usage auditing, and usage reporting. (*193 8:26) 

- VDE offers an architecture that avoids reflecting specific distribution biases, administrative and 
control perspectives, and content types. Instead, VDE provides a broad-spectrum, fundamentally 
configurable and portable, electronic transaction control, distributing, usage, auditing, reporting, and 
payment operating environment ('193 8:53) 

- The present invention allows content providers and users to formulate their transaction environment 
to accommodate: 

(1) desired content models, content control models, and content usage information pathways, 

(2) a complete range of electronic media and distribution means, 

(3) a broad range of pricing, payment, and auditing strategies, 

(4) very flexible privacy and/or reporting models, 

(5) practical and effective security architectures, and 

(6) other administrative procedures that together with steps (1) through (5) can enable most "real world" 
electronic commerce and data security models, including models unique to the electronic world. (* 193 
10:11) 

- Because of the breadth of issues resolved by the present invention, it can provide the emerging 
"electronic highway" with a single transaction/distribution control system that can, for a very broad 
range of commercial and data security models, ensure against unauthorized use of confidential and/or 
proprietary information and commercial electronic transactions. ('193 17:22) 

- "A feature of the present invention provides for payment means supporting flexible electronic 
currency and credit mechanisms, including the ability to securely maintain audit trails reflecting 
information related to use of such currency or credit' ('193 33:58) 

- "the end-to-end nature of VDE applications, in which content 108 flows in one direction, generating 
reports and bills 1 1 8 in the other, makes it possible to perform "back-end" consistency checks." ('193 
223:17) 

- By way of non-exhaustive summary, these present inventions provide a highly secure and trusted 
item delivery and agreement execution services providing the following features and functions: 
Trustedness and security approaching or exceeding that of a personal trusted courier. 

Instant or nearly instant delivery. 

Optional delayed delivery ("store and forward"). 

Broadcasting to multiple parties. 

Highly cost effective. 

TVtict*»H v/nliHatinn r»f itPir* f*AntpntC %T\(\ flpllVPrv 

Value Added Delivery and other features selectable by the sender and/or recipient 
Provides electronic transmission trusted auditing and validating. 
Allows people to communicate quickly, securely, and confidentially. 

Communications can later be proved through reliable evidence of the communications transaction- 
providing non-repudiatable, certain, admissible proof that a particular communications transaction 
occurred. 

Provides non-repudiation of use and may record specific forms of use such as viewing, editing, 
extracting, copying, redistributing (including to what one or more parties), and/or saving. 
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Supports persistent rights and rules based document workflow management at recipient sites. 
System may operate on the Internet, on internal organization and/or corporate networks ("intranets" 
irrespective of whether they use or offer Internet services internally), private data networks and/or using 
any other form of electronic communications. 

System may operate in non-networked and/or intermittently networked environments. 
Legal contract execution can be performed in real time, with or without face to face or ear-to-ear 
personal interactions (such as audiovisual teleconferencing, automated electronic negotiations, or any 
combination of such interactions) for any number of distributed individuals and/or organizations using 
any mixture of interactions. . 
The items delivered and/or processed may be any "object" in digital format, including, but not limited 
to, objects containing or representing data types such as text, images, video, linear motion pictures in 
digital format, sound recordings and other audio information, computer software, smart agents, 
multimedia, and/or objects any combination of two or more data types contained within or representing 
a single compound object 

Content (executables for example) delivered with proof of delivery and/or execution or other use. 
Secure electronic containers can be delivered. The containers can maintain control, audit, receipt and 
other information and protection securely and persistently in association with one or more items. 
Trustedness provides non-repudiation for legal and other transactions. 

Can handle and send any digital information (for example, analog or digital information representing 
text, graphics, movies, animation, images, video, digital linear motion pictures, sound and sound 
recordings, still images, software computer programs or program fragments, executables, data, and 
including multiple, independent pieces of text; sound clips, software for interpreting and presenting 
other elements of content, and anything else that is electronically representable). 
Provides automatic electronic mechanisms that associate transactions automatically with other 



System can automatically insert or embed a variety of visible or invisible signatures such as images 
of handwritten signatures, seals, and electronic "fingerprints" indicating who has "touched" (used or 
other interacted with in any monitorable manner) the item. 

System can affix visible seals on printed items such as documents for use both in encoding receipt and 
other receipt and/or usage related information and for establishing a visible presence and impact 
regarding the authenticity, and ease of checking the authenticity, of the item. 
Seals can indicate who originated, sent, received, previously received and redistributed, electronically 
view, and/or printed and/or otherwise used the item. 

Seals can encode digital signatures and validation information providing time, location, send and/or 
other information and/or providing means for item authentication and integrity check. 
Scanning and decoding of item seals can provide authenticity/integrity check of entire item(s) or part of 
an item (e.g., based on number of words, format, layout, image-picture and/or test-composition, etc.). 
Seals can be used to automatically associate electronic control sets for use in further item handling. 
System can hide additional information within the item using "stenanograpby" for later retrieval and 



Steganography can be used to encode electronic fingerprints and/or other information into an item to 
prevent deletion. . 
Multiple stenanographic storage of the same fingerprint information may be employed reflecting 
"more" public and "less" public modes so that a less restricted steganographic mode (different 
encryption algorithm, keys, and/or embedding techniques) can be used to assist easy recognition by an 
authorized party and a more private (confidential) mode may be readable by only a few parties (or only 
one party) and comprise of the less restricted mode may not affect the security of the more private 
mode. 

Items such as documents can be electronically, optically scanned at the sender's end-and printed out in 
original, printed form at the recipient's end. 

Document handlers and processors can integrate document scanning and delivery. 

Can be directly integrated into enterprise and Internet (and similar network) wide document workflow 

systems and applications. 

Secure, tamper-resistant electronic appliance, which may employ VDE SPUs, used to handle items at 
both sender and recipient ends. _ 



transactions. 



analysis. 
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"Original" Hem(s) can automatically be destroyed at the sender's end and reconstituted at the recipient's 
end to prevent two originals from existing simultaneously. 

Secure, non-repudiable authentication of the identification of a recipient before delivery using any 
number of different authentication techniques including but not limited to biometric techniques (such as 
palm print scan, signature scan, voice scan, retina scan, iris scan, biometric fingerprint and/or handprint 
scan, and/or face profile) and/or presentation of a secure identity "token." 

Non-repudiation provided through secure authentication used to condition events (e.g.; a signature is 
affixed onto a document only if the system securely authenticates the sender and her intention to agree 
to its contents). 

Variety of return receipt options including but not limited to a receipt indicating who opened a 
document, when, where, and the disposition of the document (stored, redistributed, copied, etc.). These 
receipts can later be used in legal proceedings and/or other contexts to prove item delivery, receipt 
and/or knowledge. 

Audit, receipt, and other information can be delivered independently from item delivery, and become 
securely associated with an item within a protected processing environment. 
Secure electronic controls can specify how an item is to be processed or otherwise handled (e.g., 
document cant be modified, can be distributed only to specified persons, collections of persons, 
organizations, can be edited only by certain persons and/or in certain manners, can only be viewed and 
will be "destroyed" after a certain elapse of time or real time or after a certain number of handlings, 
etc.) . 

Persistent secure electronic controls can continue to supervise item workflow even after it has been 
received and "read." 

Use of secure electronic containers to transport items provides an unprecedented degree of security, 
trustedness and flexibility. 

Secure controls can be used in conjunction with digital electronic certificates certifying as to identity, 
class (age, organization membership, jurisdiction, etc.) of the sender and/or receiver and/or user of 
communicated information. 

Efficiently handles payment and electronic addressing arrangements through use of support and 
administrative services such as a Distributed Commerce Utility as more fully described in the 
copending Shear, et al. application. 

Compatible with use of smart cards, including, for example, VDE enabled smart cards, for secure 
personal identification and/or for payment 

Transactions may be one or more component transactions of any distributed chain of handling and 
control process including Electronic Data Interchange (EDI) system, electronic trading system, 
document workflow sequence, and banking and other financial communication sequences, etc. ('683 
6:18) 

- "Content providers and distributors have devised a number of limited function rights protection 

mechanisms to protect their rights. Authorization passwords and protocols, license servers, 
"lock/unlock" distribution methods, and non -electronic contractual limitations imposed on users of 
shrink-wrapped software are a few of the more prevalent content protection schemes. In a 
commercial context, these efforts are inefficient and limited solutions." ('900 2:64) 

- "The inability of conventional products to be shaped to the needs of electronic information providers 
and users is sharply in contrast to the present invention. Despite the attention devoted by a cross- 
section of America's largest telecommunications, computer, entertainment and information provider 
companies to some of the problems addressed by the present invention, only the present invention 
provides commercially secure, effective solutions for configurable, general purpose electronic 
commerce transaction/distribution control systems." ('193 2:13) 

- "The features of VDE allow it to function as the first trusted electronic information control 
environment that can conform to, and support, the bulk of conventional electronic commerce and data 
security requirements. In particular, VDE enables the participants in a business value chain model to 
create an electronic version of traditional business agreement terms and conditions and further enables 
these participants to shape and evolve their electronic commerce models as they believe appropriate to 
their business requirements." 0 1 93 8:43) 
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- An objective of VDE is supporting a transaction/distribution control standard. Development of such a 
standard has many obstacles, given the security requirements and related hardware and communications 
issues, widely differing environments, information types, types of information usage, business and/or 
data security goals, varieties of participants, and properties of delivered information. A significant 
feature of VDE accommodates the many, varying distribution and other transaction variables by, in 
part, decomposing electronic commerce and data security functions into generalized capability modules 
executable within a secure hardware SPU and/or corresponding software subsystem and further 
allowing extensive flexibility in assembling, modifying, and/or replacing, such modules (e.g. load 
modules and/or methods) in applications run on a VDE installation foundation. This configurability and 
reconfigurability allows electronic commerce and data security participants to reflect their priorities and 
requirements through a process of iteratively shaping an evolving extended electronic agreement 
(electronic control model). ('193 15:66) 

- Some of the key factors contributing to the configurability intrinsic to the present invention include: 

(a) integration into the fundamental control environment of a broad range of electronic appliances 
through portable API and programming language tools that efficiently support merging of control and 
auditing capabilities in nearly any electronic appliance environment while maintaining overall system 
security; 

(b) modular data structures; 

(c) generic content model; 

(d) general modularity and independence of foundation architectural components; 

(e) modular security structures; 

(f) variable length and multiple branching chains of control; and 

(g) independent, modular control structures in the form of executable load modules that can be 
maintained in one or more libraries, and assembled into control methods and models, and where such 
model control schemes can "evolve" as control information passes through the VDE installations of 
participants of a pathway of VDE content control information handling. ('193 16:66) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, ... provide mechanisms that allow control information to "evolve" and be 
modified according, at least in part, to independently, securely delivered further control information. ... 
Handlers in a pathway of handling of content control information, to the extent each is authorized, can 
establish, modify, and/or contribute to, permission, auditing, payment, and reporting control 
information related to controlling, analyzing, paying for, and/or reporting usage of, electronic content 
and/or appliances (for example, as related to usage of VDE controlled property content)." ('193 21:43, 
29:21) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, ... enable a user to securely extract, through the use of the secure subsystem at 
the user's VDE installation, at least a portion of the content included within a VDE content container to 
produce a new, secure object (content container), such that the extracted information is maintained in a 
continually secure manner through the extraction process " ('193 21:43 31:66) 

- "As with the content control information for most VDE managed content, features of the present 
invention allows [sic] the content's control information to: (a) "evolve,*' for example, the extractor of 
content may add new control methods and/or modify control parameter data, such as VDE application 
compliant methods, to the extent allowed by the content's in-place control information. ...(b) allow a 
user to combine additional content with at least a portion of said extracted content, ...(c) allow a user 
to securely edit at least a portion of said content while maintaining said content in a secure form within 
said VDE content container; ...(d) append extracted content to a pre-existing VDE content container 
object and attach associated control information . . . (e) preserve VDE control over one or more portions 
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of extracted content after various forms of usage of said portions ... Generally, the extraction features 
of the present invention allow users to aggregate and/or disseminate and/or otherwise use protected 
electronic content information extracted from content container sources while maintaining secure VDE 
capabilities thus preserving the rights of providers in said content information after various content 
usage processes." ('193 32:27) 

- The secure component based architecture of ROS 602 has important advantages. For example, h 
accommodates limited resource execution environments such as provided by a lower cost SPU 500. It 
also provides an extremely high level of configurability. In fact, ROS 602 will accommodate an almost 
unlimited diversity of content types, content provider objectives, transaction types and client 
requirements. In addition, the ability to dynamically assemble independently deliverable components at 
execution time based on particular objects and users provides a high degree of flexibility, ("193 87:63) 

- "Each logical object structure 800 may also include a "private body" 806 containing or referencing a 
set of methods 1000 (i.e., programs or procedures) that control use and distribution of the object 300. 
The ability to optionally incorporate different methods 1000 with each object is important to making 
VDE 100 highly configurable." (*193 128:25) 

- "VDE methods 1000 are designed to provide a very flexible and highly modular approach to secure 
processing." (*193 181:17) 

- "The reusable functional primitives of VDE 300 can be flexibly combined by content providers to 
reflect their respective distribution objectives." (* 193 255:27) 

- the present invention truly achieves a content control and auditing architecture that can be configured 
to most any commercial distribution embodiment" (' 193 261:12) 

- "Adding new content to objects is an important aspect of authoring provided by the present invention. 
Providers may wish to allow one or more users to add, hide, modify, remove and/or extend content that 
they provide. In this way, other users may add value to, alter for a new purpose, maintain, and/or 
otherwise change, existing content Hie ability to add content to an empty and/or newly created object 
is important as well." ( 4 193 261 :23) 

- "The distribution control information provided by the present invention allows flexible positive 
control. No provider is required to include any particular control, or use any particular strategy, except 
as required by senior control information. Rather, the present invention allows a provider to select from 
generic control components (which may be provided as a subset of components appropriate to a 
provider's specific market, for example, as included in and/or directly compatible with, a VDE 
application) to establish a structure appropriate for a given chain of handling/control." ( 4 193 
297:9)"Importantly, VDE securely and flexibly supports editing the content in, extracting content from, 
embedding content into, and otherwise shaping the content composition of, VDE content containers. 
Such capabilities allow VDE supported product models to evolve by progressively reflecting the 
requirements of "next" participants in an electronic commercial model." ( 4 193 297:9) 

- "For instance, the user may have an "access" right, and an "extraction" right, but not a "copy" right." 
(*193 159:24) 

- "PERCS 808 specify a set of rights that may be exercised to use or access the corresponding VDE 
object 300. The preferred embodiment allows users to "customize" their access rights by selecting a 
subset of rights authorized by a corresponding PERC 808 and/or by specifying parameters or choices 
that correspond to some or all of the rights granted by PERC 808. These user choices are set forth in a 
user rights table 464 in the preferred embodiment. User rights table (URT) 464 includes URT records, 
each of which correspond to a user (or group of users). Each of these URT records specific users 
choices for a corresponding VDE object more methods 1000 for exercising the rights granted to the 
user by the PERC 808 in a way specified by the choices contained within the URT record." (' 1 93 
156:55) 

- "PERC and URT structures provide a mechanism that may be used to provide precise electronic 
representation of rights and the controls associated with those rights. VDE thus provides a 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 69 of 100 




Claim Term 


MS Construction 




"vocabulary" and mechanism by which users and creators may specify their desires." (*193 245:10) 

- "In sum, the present invention allows information contained in electronic information products to be 
supplied according to user specification. Tailoring to user specification allows the present invention to 
provide the greatest value to users, which in turn will generate the greatest amount of electronic 
commerce activity." ('193 22:66) 

- Function: "Adding new content to objects is an important aspect of authoring provided by the present 
invention. Providers may wish to allow one or more users to add, hide, modify, remove and/or extend 
content that they provide. In this way, other users may add value to, alter for a new purpose, maintain, 
and/otherwise change, existing content. The ability to add content to an empty and/or newly created 
object is important as well." ( 4 193 261:23) 

- Function: "Each logical object structure 800 may also include a "private body" 806 containing or 
referencing a set of method 1 000 (i.e., programs or procedures) that control use and distribution of the 
object 300. The ability to optionaDy incorporate different methods 1 000 with each object is important 
to making VDE 100 highly configurable." ('193 128:25) 

- Function: "An important aspect of adding or modifying content is the choice of encryption/decryption 
keys and/or other relevant aspects of securing new or.altered content." ('193 262:21) 

- Function: "Importantly, VDE securely and flexibly supports editing the content in, extracting content 

from, embedding content into, and otherwise shaping the content composition of, VDE content 
containers." 0 193 297:9) 

- VDE also features fundamentally important capabilities for managing content that travels "across" the 
"information highway." These capabilities comprise a rights protection solution that serves all 
electronic community members. These members include content creators and distributors, financial 
service providers, end-users, and others. VDE is the first general purpose, configurable, transaction 
control/rights protection solution for users of computers, other electronic appliances, networks, and the 
information highway." ('193 2:27) 

- VDE provides a unified solution that allows all content creators, providers, and users to employ the 
same electronic rights protection solution. (' 1 93 5 : 1 7) 

- "Since different groups of components can be put together for different applications, the present 
invention can provide electronic control information for a wide variety of different products and 
markets. This means the present invention can provide a "unified," efficient, secure, and cost-effective 
system for electronic commerce and data security. This allows VDE to serve as a single standard for 
electronic rights protection, data security, and electronic currency and banking." ('193 7:6) 

- "Employing VDE as a general purpose electronic transaction/distribution control system allows users 
to maintain a single transaction management control arrangement on each of their computers, networks, 
communication nodes, and/or other electronic appliances. Such a general purpose system can serve the 
needs of many electronic transaction management applications without requiring distinct, different 
installations for different purposes. As a result, users of VDE-can avoid the confusion and expense and 
other inefficiencies of different, limited purpose transaction control applications for each different 
content and/or business model. For example, VDE allows content creators to use the same VDE 
foundation control arrangement for both content authoring and for licensing content from other content 
creators for inclusion into their products or for other use. Clearinghouses, distributors, content creators, 
and other VDE users can all interact, both with the applications running on their VDE installations, and 
with each other, in an entirely consistent manner, using and reusing (largely transparently) the same 
distributed tools, mechanisms, and consistent user interfaces, regardless of the type of VDE activity." 
(*193 11:38) 

- An objective of VDE is supporting a transaction/distribution control standard. (M93 55:66) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention.... The design of the VDE foundation, VDE load modules, and VDE containers, are 
important features that enable the VDE node operating environment to be compatible with a very broad 
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range of electronic appliances. The ability, for example, for control methods based on load modules to 
execute in very "small*' and inexpensive secure sub-system environments, such as environments with 
very little read/write memory, while also being able to execute in large memory sub-systems that may 
be used in more expensive electronic appliances, supports consistency across many machines. This 
consistent VDE operating environment, including its control structures and container architecture, 
enables the use of standardized VDE content containers across a broad range of device types and host 
operating environments. Since VDE capabilities can be seamlessly integrated as extensions, additions, 
and/or modifications to fundamental capabilities of electronic appliances and host operating systems, 
VDE containers, content control information, and the VDE foundation will be able to work with many 
device types and these device types will be able to consistently and efficiently interpret and enforce 
VDE control information. (*193 llj42 34*26) 

- This rationalization stems from the reusability of control structures and user interfaces for a wide 
variety of transaction management related activities. As a result, content usage control, data security, 
information auditing, and electronic financial activities, can be supported with tools that are reusable, 
convenient, consistent, and familiar. In addition, a rational approach—a transaction/distribution control 
standard— allows all participants in VDE the same foundation set of hardware control and security, 
authoring, administration, and management tools to support widely varying types of information, 
business market model, and/or personal objectives ('193 11 :26) 

- Because of the breadth of issues resolved by the present invention, it can provide the emerging 
"electronic highway" with a single transaction/distribution control system that can, for a very broad 
range of commercial and data security models, ensure against unauthorized use of confidential and/or 
proprietary information and commercial electronic transactions. VDE's electronic transaction 
management mechanisms can enforce the electronic rights and agreements of all parties participating in 
widely varying business and data security models, and this can be efficiently achieved through a single 
VDE implementation within each VDE participant's electronic appliance. VDE supports widely varying 
business and/or data security models that can involve a broad range of participants at various "levels" of 
VDE content and/or content control information pathways of handling. Different content control and/or 
auditing models and agreements may be available on the same VDE installation. These models and 
agreements may control content in relationship to, for example, VDE installations and/or users in 
general; certain specific users, installations, classes and/or other groupings of installations and/or users; 
as well as to electronic content generally on a given installation, to specific properties, property 
portions, classes and/or other groupings of content.('193 17:22) 

- ''the present invention's trusted/secure, universe wide, distributed transaction control and 
administration system." (* 193 35:66) 

- "Commerce Utility Systems 90 are generalized and programmable..." ('712 67:7) 

- "Providers of "electronic currency" have also created protections for their type of content These 
systems are not sufficiently adaptable, efficient, nor flexible enough to support the generalized use of 
electronic currency. Furthermore, they do not provide sophisticated auditing and control configuration 
capabilities. This means that current electronic currency tools lack the sophistication needed for many 
real- world financial business models. VDE provides means for anonymous currency and for 
"conditionally" anonymous currency, wherein currency related activities remain anonymous except 
under special circumstances." (* 193 3:30) 

- "Traditional content control mechanisms often require users to purchase more electronic information 
than the user needs or desires. For example, infrequent users of shrink-wrapped software are required to 
purchase a program at the same price as frequent users, even though they may receive much less value 
from their less frequent use. Traditional systems do not scale cost according to the extent or character of 
usage and traditional systems can not attract potential customers who find that a fixed price is too high. 
Systems using traditional mechanisms are also not normally particularly secure. For example, shrink- 
wrapping does not prevent the constant illegal pirating of software once removed from either its 
physical or electronic package." (M93 5:50) 

- "Traditional electronic information rights protection systems are often inflexible and inefficient and 
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may cause a content provider to choose costly distribution channels thai increase a product's price. In 
general these mechanisms restrict product pricing, configuration, and marketing flexibility. These 
compromises are the result of techniques for controlling information which cannot accommodate both 
different content models and content models which reflect the many, varied requirements, such as 
content delivery strategies, of the model participants. This can limit a provider's ability to deliver 
sufficient overall value to justify a given produces cost in the eyes of many potential users. VDE allows 
content providers and distributors to create applications and distribution networks that reflect content 
providers' and users' preferred business models. It offers users a uniquely cost effective and feature rich 
system that supports the ways providers want to distribute information and the ways users want to use 
such information " ('193 5:36) 

- "VDE does not require electronic content providers and users to modify their business practices and 
personal preferences to conform to a metering and control application program that supports limited, 
largely fixed functionality [sic]. Furthermore, VDE permits participants to develop business models not 
feasible with non- electronic commerce, for example, involving detailed reporting of content usage 
information, large numbers of distinct transactions at hitherto infeasible low price points, "pass-along" 
control information that is enforced without involvement or advance knowledge of the participants, 
etc." (*1 93 9:67) 

- "VDE can further be used to enable commercially provided electronic content to be made available to 
users in user defined portions, rather than constraining the user to use portions of content that were 
"predetermined" by a content creator and/or other provider for billing purposes." ('193 11 :66) 

- *The "usage map" concept provided by the preferred embodiment may be tied to the concept of 
"atomic elements." In the preferred embodiment, usage of an object 300 may be metered in terms of 
"atomic elements." In the preferred embodiment, an "atomic element" in the metering context defines a 
unit of usage that is "sufficiently significant" to be recorded in a meter. The definition of what 
constitutes an "atomic element" is determined by the creator of an object 300. For instance, a "byte" of 
information content contained in an object 300 could be defined as an "atomic element," or a record of 
a database could be defined as an "atomic element," or each chapter of an electronically published book 
could be defined as an "atomic element (* 193 144:53) 

. Summary of Some Important Features Provided by VDE in Accordance With the Present Invention. 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, VDE includes features that: support dynamic user selection of information 
subsets of a VDE electronic information product (VDE controlled content). This contrasts with the 
constraints of having to use a few high level individual, pre-defined content provider information 
increments such as being required to select a whole information product or product section in order to 
acquire or otherwise use a portion of such product or section. VDE supports metering and usage control 
over a variety of increments (including "atomic" increments, and combinations of different increment 
types) that are selected ad hoc by a user and represent a collection of pre-identified one or more 
increments (such as one or more blocks of a preidentified nature, e.g., bytes, images, logically related 
blocks) that form a generally arbitrary, but logical to a user, content "deliverable." VDE control 
information (including budgeting, pricing and metering) can be configured so that it can specifically 
apply, as appropriate, to ad hoc selection of different, unanticipated variable user selected aggregations 
of information increments and pricing levels can be, at least in part, based on quantities and/or nature of 
mixed increment selections (for example, a certain quantity of certain text could mean associated 
images might be discounted by 1 5%; a greater quantity of text in the "mixed" increment selection might 
mean the images are discounted 20%). Such user selected aggregated information increments can 
reflect the actual requirements of a user for information and is more flexible than being limited to a 
single, or a few, high level, (e.g. product, document, database record) predetermined increments. Such 
high level increments may include quantities of information not desired by the user and as a result be 
more costly than the subset of information needed by the user if such a subset was available. In sum, 
the present invention allows information contained in electronic information products to be supplied 
according to user specification. Tailoring to user specification allows the present invention to provide 
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the greatest value to users, which in turn will generate the greatest amount of electronic commerce 
activity. The user, for example, would be able. to define an aggregation of content derived from various 
portions of an available content product, but which, as a deliverable for use by the user, is an entirely 
unique aggregated increment The user may, for example, select certain numbers of bytes of 
information from various portions of an information product, such as a reference work, and copy them 
to disc in unencrypted form and be billed based on total number of bytes plus a surcharge on the 
number of "articles" that provided the bytes. A content provider might reasonably charge less for such a 
user defined information increment since the user does not require all of the content from all of the 
articles that contained desired information. ('193 2 1:43, 22:32) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention.... Differing models for billing, auditing, and security can be applied to the same piece of 
electronic information content and such differing sets of control information may employ, for control 
purposes, the same, or differing, granularities of electronic information control increments. ('193 2j§|3, 
28:23)) 

- "The VDE templates, classes, and control structures are inherently flexible and configurable to 
reflect the breadth of information distribution and secure storage requirements, to allow for efficient 
adaptation into new industries as they evolve, and to reflect the evolution and/or change of an existing 
industry and/or business, as well as to support one or more groups of users who may be associated with 
certain permissions and/or budgets and object types. The flexibility of VDE templates, classes, and 
basic control structures is enhanced through the use of VDE aggregate and control methods which have 
a compound, conditional process impact on object control. Taken together, and employed at times with 
VDE administrative objects and VDE security arrangements and processes, the present invention truly 
achieves a content control and auditing architecture that can be configured to most any commercial 
distribution embodiment. Thus, the present invention fully supports the requirements and biases of 
content providers without forcing them to fit a predefined application model. It allows them to define 
the rights, control information, and flow of their content (and the return of audit information) through 
distribution channels." ( 4 193 260:66) 

- VDE also extends usage control information to an arbitrary granular level (as opposed to a file based 
level provided by traditional operating systems) and provides flexible control information over any 
action associated with the information which can be described as a VDE controlled process." 0193 
275:8) 

- "The situation is no better for processing documents within the context of ordinary computer and 
network systems. Although said systems can enforce access control information based on user identity, 
and can provide auditing mechanisms for tracking accesses to files, these are low-level mechanisms 
that do not permit tracking or controlling the flow of content, in such systems, because document 
content can be freely copied and manipulated, it is not possible to determine where document content 
has gone, or where it came from. In addition, because the control mechanisms in ordinary computer 
operating systems operate at a low level of abstraction, the entities they control are not necessarily the 
same as those that are manipulated by users. This particularly causes audit trails to be cluttered with 
voluminous information describing uninteresting activities." (* 193 281 :27) 

- "Importantly, VDE securely and flexibly supports editing the content in, extracting content from, 
embedding content into, and otherwise shaping the content composition of, VDE content containers." 
(* 1 93 297:9) 

- *The lnterTrust DigiBox container model allows and facilitates these and other different container 
uses. It facilitates detailed container customization for different uses, classes of use and/or users in 
order to meet different needs and business models. This customization ability is very important, 
particularly when used in conjunction with a general purpose, distributed rights management 
environment such as described in Ginter, et al. Such an environment calls for a practical optimization of 
customizability, including customizability and transparency for container models. This customization 
flexibility has a number of advantages, such as allowing optimization (e.g., maximum efficiency, 
minimum overhead) of the detailed container design for each particular application or circumstance so 
as to allow many different container designs for many different purposes (e.g., business models) to exist 
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at the same time and be used by the rights control client (node) on a user electronic appliance such as a 
computer or entertainment device" ('861 2:49) 

- "The node and container model described above and in the Ginter et al. patent specification (along 
with similar other DigiBox/VDE (Virtual Distribution Environment) models) has nearly limitless 
flexibility." ('861 2:37) 

Such capabilities allow VDE supported product models to evolve by progressively reflecting 
requirements of "next" participants in an electronic commercial models." ('193 297:12) 

Extrinsic: 

VDE: VDE is the broad name given to a comprehensive system (algorithms, software, and hardware) 
that provides metering, securing, and administration tools for intellectual property. VDE stands for 
"Virtual Distribution Environment." (VDE ROI DEVICE vl.Oa 9 Feb 1994, IT00008570) 

Virtual: Pertaining to a functional unit that appears to be real, but whose functions are accomplished by 
other means. (IBM) 

Environment: 1. The aggregate of external circumstances, conditions, and objects that affect the 
development, operation, and maintenance of a system. 2. In computer security, those factors, both 
internal and external, of an ADP system that help to define the risks associated with its operation 
(Longley) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 

InterTrust Commerce Architecture model: A model that defines a general-purpose distributed 
architecture for secure electronic commerce and digital rights management The InterTrust Commerce 
Architecture model includes four key software elements: DigiBox secure containers, InterRights Point 
software with associated protected database, the InterTrust Transaction Authority Framework, and the 
InterTrust Deployment Manager. (ITG, 1 997, MLOOO 1 2A) 

VDE is a system using secure computing technology to enforce a chain of handling and control 
representing the rights of interested parties. (ITG, 3/7/1995, IT00709616) (see footnote 2) 

Virtual Distribution Environment (VDE): A set of components that protects content and enforces rights 
associated with content. flTG, 3/7/1 995, IT00709620, see footnote 2) 

Virtual Distribution Environment: or "VDE". shall mean a system which guarantees: (I) that the 
content creators, publishers, and/or distributors of information receive agreed upon fees for the use of, 
and/or records of the use of, electronic content; and/or (ii) that stored and/or distributed information 
will be used only in authorized ways. More particularly, VDE relates to systems for applying controls 
to, and controlling and/or auditing use of, electronically stored and/or disseminated information. 
[License Agreement, National Semiconductor and EPR, 3/18/94, Exhibit 12 to IT 30(bX6)) 

IT000 1689-96, IT0709785 (VDE on a Page), IT000202-29 


'193:1 


"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


receiving a 
digital file 
including music 


Intrinsic: 

- "Moreover, when any new VDE object 300 arrives at an electronic appliance 600, the electronic 
appliance must "register" the object within object registry 450 so that it can be accessed." ('193 153:56) 

- "FIGS. 1 14A and 1 14B show an example process 4600 for receiving an item. In this example, 
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electronic appliance 600 that has received an electronic object 300 may first generate a notification to 
PPE 650 that the container has arrived (FIG. 1 14A, block 4602). PPE 650 may, in response, use the 
dynamic user interaction techniques discussed above to interact with and authenticate recipient m 
accordance with the electronic controls 4078 within the received object 300 (FIG. 1 14A block 4603; 
authentication routine shown in FIG. 11 1). Intended recipient 4056 may be given an option of accepting 
or declining delivery of the object (FIG. 1 14A, block 4604). If intended recipient 4056 accepts the item, 
appliance may store the container 302 locally (FIG. 1 14A, block 4606) and then generate a "register 
object" event for processing by PPE 650." 

- while grandparent ('107) did not refer to fax transmission or physical mail, it did recite that the 
delivery means could be by "physical storage media" or by transferring "physical things" ( 193 3:26, 
5:4, 1421,18:10, 127:6,242:32) 

"In this example, the trusted electronic go-between between 470U receives nonncauon ma mc 
electronic container 302 has arrived (FIG. 121, block 4752), may store ^ conta^er locaUy (Fia 121, 
block 4754) and opens and authenticates the container and its contents (FIG. 121, block 4756). The 
trusted electonic go-between 4700 may then, if necessary, obtain and locally register any method/rules 
required to intract with secure container 302 (FIG. 121, block 4758)." 

Extrinsic: 


a budget 
specifying the 
number of copies 
which can be 
made of said 
digital file 


Intrinsic: 

. For example, content control information for a given piece of content may be stipulated as senior 
information and therefore not changeable, might be put in place by a content creator and might stipulate 
that national distributors of a given piece of their content may be permitted to make 100,000 copies per 
calendar quarter, so long as such copies are provided to bonfire end-users, but may pass only a single 
copy of such content to a local retailers and the control information limits such axetailer to making no 
more man 1,000 copies per month for retail sales to end-users. In addition, for example, an end-user of 
such content might be limited by the same content control information to making three copies of such 
content, one for each of three different computers he or she uses (one desktop computer at work, one for 
a desktop computer at home, and one for a portable computer). ('193 48:19) 

- "storing a first digital file and a first control in a first secure container, said first control constituting 
a first budget which governs the number of copies which may be made of said first digital file or a ^ 
portion of said first digital file while said first digital file is contained in said first secure container, 

(' 193 claim 60) . , ^ , r 
. "A certain content provider might, for example, require metering the number of copies made for 
distribution to employees of a given software program (a portion of the program might be maintained in 
encrypted form and require the presence of a VDE installation to run). This would require the execution 
of a metering method for copying of the property each time a copy was made for another employee. 
(M 93 20:36) 

- For example in the earlier example of a user with a desktop and a notebook computer, a provider 
may allow a user to make copies of information necessary to enable the notebook computer based on 
information present in the desktop computer, but not allow any further copies of said information to be 
made by the notebook VDE node. In this example, the distribution control structure described earlier 
would continue to exist on the desktop computer, but the copies of the enabling information passed to 
the notebook computer would lack the required distribution control structure to perform distribution 
from the notebook computer. Similarly, a distribution control structure may be provided by a content 
provider to a content provider who is a distributor in which a control structure would enable a certain 
number of copies to be made of a VDE content container object along with associated copies of 
permissions records, but the permissions records would be altered (as per specification of the content 
provider, for example) so as not to allow end-users who received distributor created copies from 
making further copies for distribution to other VDE nodes.(' 193 264:29) 

- "Similarly, a distribution control structure may be provided ... so as not to allow end-users who 
received distributor created copies from making further copies for distribution to other VDE nodes." 
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C193 264:40) 

- SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security 
barrier 502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 from being observed, interfered with and leaving except 
under appropriate secure conditions. ('193 59:48) 

- " Secure container 302 may also contain an electronic, digital control structure 4078. This control 
structure 4078 (which could also be delivered independently in another container 302 different from the 
one carrying the image 40681 and/or the data 4068D) may contain important information controlling 
use of container 302. For example, controls 4078 may specify who can open container 302 and under 
what conditions the container can be opened. Controls 4078 might also specify who, if anyone, object 
300 can be passed on to. As another example, controls 4078 might specify restrictions on how the 
image 40681 and/or data 4068D can be used (e.g., to allow the recipient to view but not change the 
image and/or data as one example). The detailed nature of control structure 4078 is described in 
connection, for example, with FIGS. 11D-11J ;FIG. 15; FIGS. 17-26B; and FIGS. 41A-61 ." ('683 
25:62) w Many objects 300 that are distributed by physical media and/or by "out of channel" means (e.g., 
redistributed after receipt by a customer to another customer) might not include key blocks 8 1 0 in the 
same object 300 that is used to transport the content protected by the key blocks. This is because VDE 
objects may contain data that can be electronically copied outside the confines of a VDE node. If the 
content is encrypted, the copies will also be encrypted and the copier cannot gain access to the content 
unless she has the appropriate decryption key(s) ." ('193 128:66) 

Although block 1262 includes encrypted summary services information on the back up, it preferably 
does not include SPU device private keys, shared keys, SPU code and other internal security 
information to prevent this information from ever becoming available to users even in encrypted form. 
0193 166:59) 

Extrinsic: 


controlling the 
copies made of 
said digital file 


See above. 


determining 
whether said 
digital file may 
be copied and 
stored on a 
second device 
based on at least 
said copy control 


Intrinsic: 

- "Similarly, a distribution control structure may be provided ... so as not to allow end-users who 
received distributor created copies from making further copies for distribution to other VDE nodes." 
CI 93 264:40) 

- "As mentioned above, traveling objects enable objects 300 to be distributed "Out-Of-Channel;" that 
is, the object may be distributed by an unauthorized or not explicitly authorized individual to another 
individual. "Out of channel" includes paths of distribution that allow, for example, a user to directly 
redistribute an object to another individual. For example, an object. provider might allow users to 
redistribute copies of an object to their friends and associates (for example by physical delivery of 
storage media or by delivery over a computer network) such that if a friend or associate satisfies any 
certain criteria required for use of said object, he may do so." (' 193 131:53) 

- "In some cases, the extract rights require an exact copy of the PERC 808 associated with the original 
object (or a PERC included for this purpose) to be placed in the new (destination) container ("no" exit 
to decision block 2096)." ('193 194:47) 

- "Metering, billing, and budgeting can allow a provider to enable and limit the copying of a 
permissions record 808." (* 193 263:54) 

- "In-some circumstances, it may be desirable for a provider to control how administrative processes 
are performed. The provider may choose to include in distribution records stored in secure database 610 
information for use in conjunction with a component assembly 690 that controls and specifies, for 
example, how processing for a given event in relation to a given method and/or record should be 
performed. For example, if a provider wishes to allow a user to make copies of a permissions record 
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808, she may want to alter the permissions record internally. For example, in the earlier example of a 
user with a desktop and a notebook computer, a provider may allow a user to make copies of 
information necessary to enable the notebook computer based on information present in the desktop 
computer, but not allow any further copies of said information to be made by the notebook VDE node. 
In this example, the distribution control structure described earlier would continue to exist on the 
desktop computer, but the copies of the enabling information passed to the notebook computer would 
lack the required distribution control structure to perform distribution from the notebook computer. 
Similarly, a distribution control structure may be provided by a content provider to a content provider 
who is a distributor in which a control structure would enable a certain number of copies to be made of 
a VDE content container object along with associated copies of permissions records, but the 
permissions records would be altered (as per specification of the content provider, for example) so as 
not to allow end-users who received distributor created copies from making further copies for 

Hictrihutirm tn ntViPT VDF rtnrie* 9^ 264*20"^ 

"Transfer of ownership of a VDE object 300 is a special case in which all of the permissions and/or 
budgets for a VDE object are redistributed to a different PPE 650. Some VDE objects may require that 
all object-related information be delivered (e.g., ifs possible to "sell" all rights to the object). However, 
some VDE objects 300 may prohibit such a transfer." ( 4 193 220:41) 

Extrinsic: 


if said copy 
control allows at 
least a portion of 
said digital fie to 
be copied and 
stored on a 
second device 


Intrinsic: 

"Persistence of control includes the ability to extract information from a VDE container object by 
creating a new container whose contents are at least in part secured and that contains both the extracted 
content and at least a portion of the control information which control information of the original 
container and/or are at least in part produced by control information of the original container for this 
purpose and/or VDE installation control information stipulates should persist and/or control usage of 
content in the newly formed container." ('193 28:50) 

"enable a user to securely extract, through the use of the secure subsystem at the user's VDE 
installation, at least a portion of the content included within a VDE. content container to produce a new, 
secure object (content container), such that the extracted information is maintained in a continually 
secure manner through the extraction process. Formation of the new VDE container containing such 
extracted content shall result in control information consistent with, or specified by, the source VDE 
content container, and/or local VDE installation secure subsystem as appropriate, content control 
information. Relevant control information, such as security and administrative information, derived, at 
least in part, from the parent (source) object's control information, will normally be automatically 
inserted into a new VDE content container object containing extracted VDE content. This process 
typically occurs under the control framework of a parent object and/or VDE installation control 
information executing at the user's VDE installation secure subsystem (with, for example, at least a 
portion of this inserted control information being stored securely in encrypted form in one or more 
permissions records)." ( 4 1 93 3 1 :66) 

Extrinsic: 


copying at least a 
portion of said 
digital file 


Intrinsic: 

"Usage map meters are thus an efficient means for referencing prior usage. They may be used to enable 
certain VDE related security functions such as testing for contiguousness (including relative 
contiguousness), logical relatedness (including relative logical relatedness), usage randomization, and 
other usage patterns. For example, the degree or character of the "randomness M of content usage by a 
user might serve as a potential indicator of attempts to circumvent VDE content budget limitations. A 
user or groups of users might employ multiple sessions to extract content in a manner which does not 
violate contiguousness, logical relatedness or quantity limitations, but which nevertheless enables 
reconstruction of a material portion or all of a given, valuable unit of content. Usage maps can be 
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analyzed to-determine other patterns of usage for pricing such as, for example, quantity discounting 
after usage of a certain quantity of any or certain atomic units, or for enabling a user to reaccess an 
object for which the user previously paid for unlimited accesses (or unlimited accesses over a certain 
time duration). Other useful analyses might include discounting for a given atomic unit for a plurality 
of uses." ('193 146:54) 

Extrinsic: 


transferring at 
least a portion of 
said digital file to 
a second device 


Intrinsic: 

- "In this case, these users may still be able to transfer some or all usage rights to another electronic 
appliance 600, and/or they may be permitted to move some of their rights to another electronic 
appliance, if such .transferring and/or moving is permitted by the usage permissions received from the 
repository 200g." (M 93 3 1 7:12) 

- "A result of processing the distribute event within the BUDGET method might be a secure 
communication (1454) between VDE nodes 102 and 106 by which a budget granting use and 
-redistribute rights to the distributor 106 may be transferred from the creator 102 to the distributor." 
('193 173:1) 

w VT*lK cpdir^iv manaowH rrtntpnt o ttiTAiioVi ffap 11 ca f\T ft \/ i 'VF 9'uraTP smnli infirm nr nnprati'no tuetem 
v us* ocwuicij liuuiagcu wuuiciii \c.g. mruugu uic uac ui 0 viyd owtuc ojjpiiuiuL/u ui up era Ling system 

having extraction capability) may be identified for extraction from each of one or more locations within 
one or more VDE content containers and may then be securely embedded into a new or existing VDE 
content container through processes executing VDE controls in a secure subsystem PPE 650." (* 1 93 
301:26) 

Extrinsic: 


storing said 
digital file 


See above. 


'193:11 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 

HictTiHiitifwi pfivimnmpnt n 

Uii>U lUUUUil bu T li \J 11111 Wlit* 

09/208,017 CI 93), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


receiving a 
digital file 


See above. 


determining 
whether said 
digital file may 
be copied and 
stored on a 

cAfnnH Hpvipp 

based on said 
first control 


See above. 


identifying said 
second device 


See above. 


whether said first 
control allows 


See above. 
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transfer of said 
copied file to 
said second 
device 




said 

determination 
based at least in 
part on the 
features present 
at the device 


Intrinsic: 

- "The software-based tamper resistant barrier 674 provided by HPE 655 may be provided, for 
example, by: . . . using a map of defects on a storage device (e.g., a hard disk, memory card, etc.) to 
form internal test values to impede moving and/or copying HPE 655 to other electronic appliances 600" 
(M93 80:40) 

"The degree of trustedness of a VDE arrangement will be primarily based on whether hardware SPUs 
are employed at participant location secure subsystems and the effectiveness of the SPU hardware 
security architecture, software security techniques when an SPU is emulated in software, and the 
encryption algorithm(s) and keys that are employed for securing content, control information, 
communications, and access to VDE node (VDE installation) secure subsystems." ('193 45:52) 

- "Independent claim 122 recites "determining step including identifying said second device and 
determining whether said first control allows transfer of said copied file to said device, said 
determination based at least in part on the features present at the device to which said copied file is to 
be transferred" which distinguishes over LOfberg which provides for determination of the 
identification of a second device (the user station) but dies [sic] not provide for basing the 
determination at least in part on the features present at the device to which the copied file is to be 
transferred." 

"At the terminal TERM the personal data carrier ID is used for the input of customer identification 
information, for example an account number or a corresponding information. Simultaneously, the time 
of rent and a programme identification information is supplied to the terminal." 
(Lofberg, U.S. Pat No. 4,595,950, 12:51-56) 

09/208,017 ('193), Examinees Supplemental Notice of Allowability, 1 1/06/00, p. 2 (MSI026638) 
Extrinsic: 


if said first 
control allows at 
least a portion of 
said digital file to 
be copied and 
stored on a 
second device 


See above. 


copying at least a 
portion of said 
digital me 


See above. 


transferring at 
least a portion of 
said digital file to 
a second device 


See above. 


storing said 
digital file 


See above. 


'193:15 


"The instant application is one of a series of applications which are all . generally directed to a virtual 
distribution environment." 

09/208,017 0193), Examiner's Amendment, 08/04/00, p. 2 
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See "Virtual Distribution Environment" above. 


receiving a 
digital file 


See above. 


an authentication 
step comprising: 


Intrinsic: 

"The secure subsystems at said user nodes utilize a protocol that establishes and authenticates each 
node's and/or participant's identity" (* 193 12:35) 

Extrinsic: 


accessing at least 
one identifier 
associated with a 
first device or 
with a user of 
said first device 


Intrinsic: 

- u a stipulation that the traveling object may be used on certain one or more installations or 
installation classes or users or user classes where classes correspond to a specific subset of installations 
or users who are represented by a predefined class identifiers stored in a secure database 610" (* 193 
131:40) 

- "Thus, if the user had a VDE node, the user might beable to use the traveling object ... ifheorhis 
VDE node belonged to a specially authorized group of users or installations" ('193 132:13) 

- "A traveling object might register its user within itself and thereafter only be useable by that one 
user." (' 193 133:43) 

- "Administrative objects, for example, may increase or otherwise adjust budgets and/or permissions 
of the receiving VDE node to which the administrative object is being sent" ('193 135:21) 

- "This metering process may . . . record the VDE node name, user name, associated object 
identification information, time, date, and/or other identification information. Some or all of this 
information can become part of audit information securely reported by a clearinghouse or distributor.... 
For each metered one or more permissions records (or set of records) that were created for a certain user 
(and/or VDE node) to manage use of certain one or more VDE objects) and/or to manage the creation 
of VDE object audit reports, it may be desirable that an auditor receive corresponding audit information 
incorporated into an, at least in part, encrypted audit report" (*193 273:58) 

- "provide very flexible and extensible user identification according to individuals, installations, by 
groups such as classes" ('193 25:31) 

"During the same or different communication session, the terminal could similarly, securely 
communicate back to the portable appliance 2600 VDE secure subsystem details as to the retail 
transaction (for example, what was purchased and price, the retail establishment's digital signature, the 
retail terminal's identifier, tax related information, etc.)." ( 4 193 233:35) 

Extrinsic: 

"User Authentication: The Patabase Management System] can require rigrous user authentication. For 
example, a DBMS might require a user to pass both specific password and time-of-day checks." 
(Pfleeger, p.307) 


determining 
whether said 
identifier is 
associated with a 
device and/or 
user authorized 
to store said 
digital file 


See above. 


storing said 
digital file in a 
first secure 
memory of said 
first device, but 


Intrinsic: 

Claims 91 and 132, as added with this Preliminary Amendment 
"91. A method comprising: 
receiving a digital file; 
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only if said 
device and/or 
user is so 
authorized, but 
not proceeding 
with said storing 
if said device 
and/or user is not 
authorized 


storiDg said digital file in a first secure memory of a first device; 

storing information associated with said digital file in a secure database stored on said first 
device, said information including at least one control; 

determining whether said digital file may be copied and stored on a second device based on 
said at least one control; 

if said at least one control allows at least a portion of said digital file to be copied and stored 
on a second device, 

copying at least a portion of said digital file; 

transferring at least a portion of said digital file to a second device including a memory and an 
audio and/or video output; 

storing said digital file in said memory of said second device; and 

rendering said digital file through said output" 
"132. A method as in claim 91, further comprising: 

an authentication step occurring prior to said step of storing said digital file in said memory of 
said first device, said authentication step comprising: 

accessing at least one identifier associated with said first device or with a user of said first 
device; 

determining whether said identifier is associated with a device and/or user authorized to store 
said digital file; and 

proceeding with said storing step if said device and/or user is so authorized, but not proceeding 
with said step if said device and/or user is not authorized' 1 

09/208,017 0193), Preliminary Amendment, 12/09/98, p. 1-2, 12 

"Claims ... 132-134 ... are objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including all of the limitations of the base claim and any 
intervening claims." 

09/208,017 (M93), Office Action, 06/07/00, p. 4-5 

"132. (Amended) A method [as in claim 91, further ] comprising: 
receiving a digital file: 

an authentication step [occurring prior to said step of storing said digital file in said memory of 
said first device, said authentication step] comprising: 

accessing at least one identifier associated with a [said] first device or with a user of said first 
device; and 

determining whether said identifier is associated with a device and/or user authorized to store 
said digital file; [and proceeding with said storing step]; 

storing said digital file in a first secure memorv of said first device, but only [proceeding with 
said storing step) if said device and/or user is so authorized, but not proceeding with said storing [step] 
if said device and/or user is not authorized; 

storing information associated with said digital file in a secure database stored on said first 
device, said information including at least one control; * 


determining whether said digital file may be copied and stored on a second device based on 
said at least one control; 

if said at least one control allows at least a portion of said digital file to be copied and stored 
on a second device, 

copying at least a portion of said digital file; 

transferring at least a portion of said digital file to a second device including a memory and an 


audio and/or video output; 

storing said digital file in said memory of said second device; and 
rendering said digital file through said output." 

(pg. 5-6) 

"The examiner also objected to claims ... 132-134, ... as dependent upon a rejected base claim (OA, 
K5). With this Amendment, Applicants have amended the above-mentioned claims to an independent 
form including all the limitations of the rejected base claim and any intervening claims per the 
Examiner's suggestion." 
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(pg.22) 

09/208,017 C193), Amendment, 08/04/00, p. 5-6, 22 
Extrinsic: 


storing 
information 
associated with 
said digital file in 
a secure database 
stored on said 
first device, said 
information 
including at least 
one control 


See above. 


determining 
whether said 
digital file may 
be copied and 
stored on a 
second device 
based on said at 
least one control 


See above. 


if said at least 
one control 
allows at least a 
portion of said 
digital file to be 
copied and stored 
on a second 
device, 


See above. 


copying at least a 
portion of said 
digital file . 


See above. 


transferring at 
least a portion of 
said digital file to 
a second device 


See above. 


storing said 
digital file 


See above. 


M93:19 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 (*193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


receiving a 
digital file at a 
first device 


See above. 
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establishing 
communication 

H^tu/ppn en iH ■firct 

UCiWCCIl 2M1IU iU9l 

device and a 
clearinghouse 
located at a 
location remote 
from said first 
device 


Intrinsic: 

"A usage clearinghouse 200c as described above in connection with'FIG. 1 A and/or as disclosed in the 
Shear et al. patent disclosure may be used to track the audit information based on event-driven or 
periodic reporting, for example. Audit records could be transmitted to a usage clearinghouse (or to a 
trusted go-between 4700) by an automatic call forwarding transmission, by a supplement call during 
transmission, by period update of audit information, by the maintenance of a constant communication 
line or open network pathway, etc." ( l 683 37:56) 

Extrinsic: 


using said 
authorization 
inform atioD to 
gain access to or 
make at least one 
use of said first 
digital file 


See above. 


receiving a first 
control from said 
clearinghouse at 
said first device 


See above. 


storing said first 
digital file in a 
memory of said 
first device 


See above. 


using said first 
control to 
determine 
whether said first 
digital file may 
be copied and 
stored on a 
second device 


See above. 


if said first 
control allows at 
least a portion of 
said first digital 
file to be copied 
and stored on a - 
second device - 


See above. 


copying at least a 
portion of said 
first digital file 


See above. 


transferring at 
least a portion of 
said first digital 
file to a second 
device including 
a memory and an 
audio and/or 
video output 


See above. 


storing said first 


See above. 
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digital file 
portion 




'683:2 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 0193), Examiner's Amendment, 08/04/00, p. 2 

See "Virtual Distribution Environment" above. 

Prosecution History of *683 Patent 

"A comparison of independent claim 7 to Fischer to derive the similarities and differences between the 
claimed invention and the prior art follows. ... claim 7 recites hardware and/or software used for 
transmission of secure containers to other apparatuses and/or for the receipt of secure containers from 
other apparatuses, see column 1, lines 18-24 and column 4, lines 58-69 " 

09/221,479 (*683), Office Action, 11/12/99,4-5 (IT00065 800-01) 

- Fischer, U.S. Pat. No. 5,412,717 : 

"Each terminal, A, B . . . N also includes a conventional IBM communications board (not shown) 
which when coupled to a conventional modem 6, 8, 10, respectively, permits the terminals to transmit 
and receive messages. Each terminal is capable of generating a message performing whatever digital 
signature operations may be required and transmitting the message to any of the other terminals 
connected to communications channel 12 (or a communications network (not shown), which may be 
connected to communications channel 12)." (4:58-69) 


the first secure 
container having 
been received 
from a second 
apparatus 


Intrinsic: 

- "Incoming administrative object manager 756 typically maintains records (in concert with SPE 503) 
in secure database 610 (e.g., receiving table 446) that record which objects have been received, objects 
expected for receipt, and other information related to received and/or expected objects." (' 193 102:46) 

- REGISTER method 2400 in this "administrative response" mode may prime appropriate audit trails 
(blocks 2460, 2462), and then may unpack the received administrative object and write the associated 
register requests) configuration information into the secure database (blocks 2464, 2466). REGISTER 
method 2400 may then retrieve the administrative request from the secure database and determine 
which response method to run to process the request (blocks 2468, 2470). If the user fails to provide 
sufficient information to register the object, REGISTER method 2400 may fail (blocks 2472, 2474). 
('193 179:23) 

- "Referring to FIG. 1 10, appliance 600 may then deliver the secure containers) 302 to the intended 
recipient 4056 and/or to trusted electronic go-between 4700 based upon the instructions of sender 4052 
as now reflected in the electronic controls 4078 associated with the object 300 (FIG. 110, block 4514). 
Such delivery is preferably by way of electronic network 4058 (672), but may be performed by any 
convenient electronic means such as, for example, Internet, Electronic Mail or Electronic Mail 
Attachment, WEB Page Direct, Telephone, floppy disks, bar codes in a fax transmission, filled ovals on 
a form delivered through physical mail, or any other electronic means to provide contact with the 
intended recipient(s)." (*683 40:10) 

Extrinsic: 


an aspect of 
access to or use 
of 


See above. 
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the first secure 
container rule 
having been 
received from a 
third apparatus 
different from 
said second 
apparatus 


Intrinsic: 

"[Applicants' independent claims ... require secure delivery of both first and second control items 
originating from someplace other than the appliance where they are used, at least in part, for controlling 
the same process, operation or the like. This feature in combination is not taught or suggested by 
Johnson and/or Rosen." 

08/388,107, Amendment, 06/20/97, p. 23 (MSI028847) 

- "Appliance 600 may next, if necessary, obtain and locally register any methods, controls or other 
information required to manipulate object 300 or its contents (FIG. 1 15, block 4607B; see registration 
method shown in FIGS. 43a-d). For example, item 4054 may be delivered independently of an 
associated control set 4078, where the control set may only be partial, such that appliance 600 may 
require additional controls from permissioning agent 200f (see FIG. 1A and "rights and permissions 
clearing house" description in the copending Shear et al. patent disclosure) or other archive in order to 
use the hem" ('683 41:4) 

- "Secure container 302 may also contain an electronic, digital control structure 4078. This control . 
structure 4078 (which could also be delivered independently in another container 302 different from the 
one carrying the image 40681 and/or the data 4068D) may contain important information controlling 
use of container 302." ('683 25:62) 

Extrinsic: 


hardware or 
software used for 
receiving and 
opening secure 
containers 


Intrinsic: 

"Please ... add the following new claims: 

7. A system including, ... hardware and/or software used for receiving and opening secure containers 
09/221,479 0683), Preliminary Amendment, 12/28/98, p. 2 

- "SPU 500 in this example is an integrated circuit ("IC") "chip** 504 including "hardware" 506 and 
"firmware" 508. SPU 500 connects to the rest of the electronic appliance through an "appliance link" 
510. SPU "firmware" 508 in this example is "software" such as a "computer program(s)" "embedded" 
within chip 504. Firmware 508 makes the hardware 506 work. Hardware 506 preferably contains a 
processor to perform instructions specified by firmware 508. "Hardware" 506 also contains long-term 
and short-term memories to store information securely so it can't be tampered with. SPU 500 may also 
have a protected clock/calendar used for timing events. The SPU hardware 506 in this example may 
include special purpose electronic circuits that are specially designed to perform certain processes (such 
as "encryption" and "decryption") rapidly and efficiently." ('193 59:60) 

- "Referring to FIG. 1 i0; appliance 600 may then deliver the secure containers) 302 to the intended 
recipient 4056 and/or to trusted electronic go-between 4700 based upon the instructions of sender 4052 
as now reflected in the electronic controls 4078 associated with the object 300 (FIG. 3 J 0, block 45 14). 
Such delivery is preferably by way of electronic network 4058 (672), but may be performed by any 
convenient electronic means such as, for example, Internet, Electronic Mail or Electronic Mail 
Attachment, WEB Page Direct, Telephone, floppy disks, bar codes in a fax transmission, filled ovals on 
a form delivered through physical mail, or any other electronic means to provide contact with the 
intended recipient(s)." ('683 40:10) 

- while grandparent (' 1 07) did not refer to fax transmission or physical mail, it did recite that the 
delivery means could be by "physical storage media" or by transferring "physical things" ("193, 3:28, 
5:4, 14:21, 18:10,53:33, 127:6, 245:32) 

- "Incoming administrative object manager 756 receives administrative objects from other VDE 
electronic appliances 600 via communications manager 776." (M93 102:42) 
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- Trusted go-between 4700 might be authorized to register (but not open) the containers 302(1) it 
receives for later use as evidence in court 501 6. (*683 52:35) 

479.7: "hardware and or/ [sic, and/or] software" 

Extrinsic: 


said secure 
containers each 
including the 
capacity to 
contain a 
governed item, a 
secure container 
rule being 
associated with 
each of said 
secure containers 


Intrinsic: 

"VDE object creation in the preferred embodiment employs VDE templates whose atomic elements 
represent at least in part modular control processes. Employing VDE creation software (in the 
preferred embodiment a GUI programming process) and VDE templates, users may create VDE objects 
300 by, for example, partitioning the objects, placing "meta data" (e.g., author's name, creation date, 
etc.) into them, and assigning rights associated with them and/or object content to, for example, a 
publisher and/or content creator. When a object creator runs through this process, she normally will go 
through a content specification procedure which will request required data. The content specification 
process, when satisfied, may be proceed by, for example, inserting data into a template and 
encapsulating the content" (' 193 259:37) 

Extrinsic: 


protected 
processing 
environment at 
least in part 
protecting 
information 
contained in said 
protected 
processing 
environment . 
from tampering 
by a user of said 
first apparatus 


Intrinsic: 

See "protected processing environment" for Prosecution History limitations. 

u Such documents may be handled by people (referred to as "users") and/or by computers operating on 
behalf of users." ('193 277:36)" 

Extrinsic: 


hardware or 
software used for 
applying said 
first secure 
container rule 
and a second 
secure container 
rule in 

combination to at 
least in part 
govern at least 
one aspect of 
access to or use 
of a governed 
item contained in 
a secure 
container 


Intrinsic: 

Prosecution History of * 683 Patent: 

"A comparison of independent claim 7 to Fischer to derive the similarities and differences between the 
claimed invention and the prior art follows. ... The combination of the first rule and the rule associated 
with the secure container is discussed at column 17, lines 40-61 

U.S. Pat. No. 5,412,717 17:40-51: „ 

"Thereafter, the program X's program authorizing information is combined, as appropriate, with the 
PA1 associated with the PCB of the calling program, if any. This combined PAI, which may include 
multiple PAI's, is then stored in an area of storage which cannot generally be modified by the program 
and the address of the PAI is stored in the process control block (PCB) as indicated in field 156 of FIG. 
j. i nus, li program a. is caiieu oy a wailing program, u is buujcwi iu mi iv> own iruuauauiij as wen as 
being combined in some way with the constraints of the calling program, which aggregate constraints 
are embodied into program X*s PAI." 

"A permissions record 808 may include requirements associated with this control information in 
combination with other control information, or a separate permissions record 808 may be used." ('193 
262:17) 

09/221,479 ( l 683), Office Action, 1 1/12/99, 4-5 (I T00065 800-01) 
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- "The VDE content control architecture allows content control information (such as control 
information for governing content usage) to be shaped to conform to VDE control information 
requirements of multiple parties. Formulating such multiple parry content control information normally 
involves securely deriving control information from control information securely contributed by parties 
who play a role in a content handling and control model (e.g. content creators), providers), userfs), 
clearinghouse(s), etc.). Multiple party control information may be necessary in order to combine 
multiple pieces of independently managed VDE content into a single VDE container object (particularly 
if such independently managed content pieces have differing, for example conflicting, content control 
information). Such secure combination of VDE managed pieces of content will frequently require 
VDE's ability to securely derive content control information which accommodates the control 
information requirements, including any combinatorial rules, of the respective VDE managed pieces of 
content and reflects an acceptable agreement between such plural control information sets." ('193 
296:12) 

- "The role of go-between 4700 may, in some circumstances, be played by one of the participant's 
SPU's 500 (PPEs), since SPU (PPE) behavior is not under the user's control, but rather can be under the 
control of rules and controls provided by one or more other parties other than the user (although in 
many instances the user can contribute his or her own controls to operate in combination with controls 
contributed by other parties).** ('683 24:26) 

- "Many such load modules are inherently configurable, aggregatable, portable, and extensible and 
singularly, or in combination (along with associated data), run as control methods under the VDE 
transaction operating environment." ('193 25:48) 

- "A permissions record 808 may include requirements associated with this control information in 
combination with other control information, or a separate permissions record 808 may be used." ('193 
262:17) 

- "Seniority of contributed control information, including resolution of conflicts between content 
control information submitted by multiple parties, is normally established by:..." (*193 46:30) 

- "This attribute of supporting multiple party securely, independently deliverable control information 
is fundamental to enabling electronic commerce, that is, defining of a content and/or appliance control 
information set that represents the requirements of a collection of independent parties such as content 
creators, other content providers, financial service providers, and/or users." ('193 84:10) 

- "A significant feature of VDE accommodates the many, varying distribution and other transaction 
variables by, in part, decomposing electronic commerce and data security functions into generalized 
capability modules executable within a secure hardware SPU and/or corresponding software subsystem 
and further allowing extensive flexibility in assembling, modifying, and/or replacing, such modules 
(e.g. load modules and/or methods) in applications run on a VDE installation foundation. This 
configurability and ^configurability allows electronic commerce and data security participants to 
reflect their priorities and requirements through a process of iteratively shaping an evolving extended 
electronic agreement (electronic control model). This shaping can occur as content control information 
passes from one VDE participant to another and to the extent allowed by "in place" content control 
information. This process allows users of VDE to recast existing control information and/or add new 
control information as necessary (including the elimination of no longer required elements).'* ('193 
16:5) 

- "A significant facet of the present invention's ability to broadly support electronic commerce is its 
ability to securely manage independently delivered VDE component objects containing control 
information (normally in the form of VDE objects containing one or more methods, data, or load 
module VDE components). This independently delivered control information can be integrated with 
senior and other pre-existing content control information to securely form derived control information 
using the negotiation mechanisms of the present invention. All requirements specified by this derived 
control information must be satisfied before VDE controlled content can be accessed or otherwise used. 
This means that, for example, all load modules and any mediating data which are listed by the derived 
control information as required must be available and securely perform their required function." ('193 
10:66) 

- "Embedding takes content that is already in a container and stores it (or the complete object) in 
another container directly and/or by reference, integrating the control information associated with 
existing content with those of the new content" ('193 194:24) 
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- However, the EMBED method 21 10 performs a slightly different function-it writes an object (or 
reference) into a destination container. Blocks 21 12-2122 shown in FIG. 57b are similar to blocks 2082- 
2092 shown in FIG. 57a. At block 2124, EMBED method 21 10 writes the source object into the 
destination container, and may at the same time extract or change the control information of the 
destination container. One alternative is to simply leave the control information of the destination 
container alone, and include the full set of control information associated with the object being 
embedded in addition to the original container control information. As an optimization, however, the 
preferred embodiment provides a technique whereby the control information associated with the object 
being embedded are "abstracted" and incorporated into the control information of the destination 
container. (M93 195:3) 

- Users of VDE may include content creators who apply content usage, usage reporting, and/or usage 
payment related control information to electronic content and/or appliances for users such as end-user 
organizations, individuals, and content and/or appliance distributors. CI 93 9:40) 

- For example, in a VDE aware word processor application, a user may be able to "print" a document 
into a VDE content container object, applying specific control information by selecting from amongst a 
series of different menu templates for different purposes (for example, a confidential memo template for 
internal organization purposes may restrict the ability to "keep," that is to make an electronic copy of 
the memo). ( l 193 26:59) 

- '479 c. 7: "hardware and/or software used for** 

- "Collection of terms (a control set) define a contract associated with a specific right," 0 I 93 245:56) 

- "securely combining said first and second controls to form a set of controls." (' 1 07 pg. 733 claim 
45) 

- "the right to use the content may be associated with two control sets. One control set may describe a 
fixed ("higher") price for using the content Another control set may describe a fixed ("lower") price 
for using the content with additional content information and field specification requiring collection and 
return the user's personal information." 0 1 93 246:50) 

- "Multiple party control information may be necessary in order to combine multiple pieces of 
independently managed VDE content into a single VDE container object (particularly if such 
independently managed content pieces have differing, for example, conflicting, content control 
information). Such secure combinations of VDE managed pieces of content will frequently require 
VDE's ability to securely derive content control information which accommodates the control 
information requirements, including any combinatorial rules, of the respective VDE managed pieces of 
content and reflects an acceptable agreement between such plural control information sets."('193 
296:21) 

- "Control sets 914, in turn, each includes a control set header 916, a control method 918, and one or 
more require methods records 920." ( 4 1 93 1 50:24) 

- "Each control set 914 contains as many required methods records 920 as necessary to satisfy all of the 
requirements of the creators and/or distributors for the exercise of a right." (' 193 150:51) 

"Control sets 9 1 4 exist in two type in VDE 1 00: common required control sets which are given 
designations, "control sets 0" or "control set for right," and a set of control set options. "Control set 0" 
902 contain a list of reuired methods that are common to all control set options, so that the common 
required methods do not have to be duplicated in each control set option. A "control set for right" 

^P^P*^ 01 ft rnntnin n similar lict fnr rnntrnl cetQ within a oiven riffht "Control set 0" and anv "control 

sets for rights" are thus, as mentioned above, optimizations; the same functionality fir the control set 
can be accomplished by listing all the common required methods in each control set option and omitting 
"control set 0" and any "controls set for rights." ( l 193 150:30) [see Fig. 26] 

- "Rights and permissions clearinghouses 400 may then distribute a new, combined control set 

1 88 ABC consistent with each of the individual control sets 188A, 3 88B, 1 88C — relieving he value 
chain participants form having to formulate any control sets other than the one they are particularly 
concerned about." ( 4 712 190:14-18) 
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- "May form an overall transaction control set from a number of discrete sub-control sets contributed, 
for example, by a number of different participants.*' ('712 234:12-15) 

"Transaction authority 700 also receives another control set 188X specifying how to link the various 
participants' control sets together into overall transactions processes with requirements and limitations 
(Figures 58A and 58B, block 752). The overall transaction control set 188Y specifies how to resolve 
conflicts between the sub-transaction control set 188 (1), 188 (N) provided by the individual 
participants (this could involve, for example, an electronic negotiation process 798 as shown in Figures 
75A-76A of the Ginter et aL patent disclosure). The transaction authority 700 combines the 
participant's individual control sets - trying them together with additional logic create an overall 
transaction control superset 188Y (Figures 58A and 58B, block 752)." ('712 243:8-19) 

Extrinsic: 


hardware or 
software used for 
transmission of 
secure containers 
toother 
apparatuses or 
for the receipt of 
secure containers 
from other 
apparatuses. 


Intrinsic: 

"Referring to FIG. 1 10, appliance 600 may then deliver the secure containers) 302 to the intended 
recipient 4056 and/or to trusted electronic go-between 4700 based upon the instructions of sender 4052 
as now reflected in the electronic controls 4078 associated with the object 300 (FIG. 1 10, block 4514). 
Such delivery is preferably by way of electronic network 4058 (672), but may be performed by any 
convenient electronic means such as, for example, Internet, Electronic Mail or Electronic Mail 
Attachment, WEB Page Direct, Telephone, floppy disks, bar codes in a fax transmission, filled ovals 
on a form delivered through physical mail, or any other electronic means to provide contact with the 
intended recipients) " ('683 40: 1 0) 

while grandparent ( 4 107) did not refer to fax transmission or physical mail, it did recite that the 
delivery means could be by "physical storage media" or by transferring "physical things" C193 3*28, 
5:4, 1421, 18:10, 53:33, 127:6, 245:32) 

Those programs may communicate with the PPE 650 component of a user's electronic appliance 
600 to make VDE-protected documents available for use while limiting the extent to which their 
contents may be copied, stored, viewed, modified, and/or transmitted and/or otherwise further 
distributed outside the specific electronic appliance. (*193 279:3) 

Extrinsic: 


'721:1 


Intrinsic: 
USP 5,757,914 
USP 4,930,703 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 


digitally signing 
a first load 
module with a 
first digital 
signature 
designating the 
first load module 
for use by a first 


Intrinsic: 

- "A hierarchy of assurance levels may be provided for different protected processing environment 
security levels. Load modules or other executables can be provided with digital signatures associated 
with particular assurance levels. Appliances assigned to particular assurance levels can protect 
themselves from executing load modules or other executables associated with different assurance levels. 
Different digital signatures and/or certificates may be used to distinguish between load modules or other 
executables intended for different assurance levels." (*721 6:16) 
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- "Encryption can be used in combination with the assurance level scheme discussed above to ensure 
that load modules or other executables can be executed only in specific environments or types of 
environments. The secure way to ensure that a load module or other executable can't execute in a 
particular environment is to ensure that the environment doesn't have the key(s) necessary to decrypt it." 
('721 6:63) 

- "A protected processing environment(s) of assurance level I protects itself (themselves) by executing 
only load modules 54 sealed with an assurance level I digital signature 106(1). Protected processing 
environments) 108 having an associated assurance level I is (are) securely issued a public key 124(1) 
that can "unlock" the level I digital signature. Similarly, a protected processing environment(s) of 
assurance level II protects itself (themselves) by executing only the same (or different) load module 54 
sealed with a "Level II" digital signature 106(11). Such a protected processing environment 108 having 
an associated corresponding assurance level II possess a public key 124(11) used to "unlock" the level D 
digital signature. A protected processing environment(s) 108 of assurance level III protects itself 
(themselves) by executing only load modules 54 having a digital signature 106(111) for assurance level 
III. Such an assurance level III protected processing environment 108 possesses a corresponding 
assurance level 3 public key 124(111)-" ('721 17:48) 

- "More specifically, a particular assurance level appliance 61 thus protects itself from using a load 
module 54 of a different assurance level. Digital signatures (and/or signature algorithms) 106 in this 
sense create the isolate □ desert islands snown*— since xney aiiow execution envir onineou) 10 proieci 
themselves from "off island" load modules 54 of different assurance levels." ('721 19:61) 

"If a load module is encrypted differently for different assurance levels, and the keys and/or algorithms 
that are used to decrypt such load modules are only distributed to environments of the same assurance 
level, an additional measure of security is provided." ('721 20:7) 

Extrinsic: 


digitally signing 
a second load 
module with a 
second digital 
signature 
different from the 
first digital 
signature, the 
second digital 
signature 
designating the 
second load 
module for use 
by a second 
device class 
having at least 
one of tamper 
resistance and 
security level 
different from the 
at least one of 
tamper resistance 
and security level 
of the first device 
class 


Intrinsic: 

- "In one example, verifying authority 100 may digitally sign identical copies of load module 54 for 
use by different classes or "assurance levels" of electronic appliances 61." 

- "Protected execution spaces such as protected processing environments can be programmed or 
otherwise conditioned to accept only those load modules or other executables bearing a digital 
signature/certificate of an accredited (or particular) verifying authority. Tamper resistant barriers may 
be used to protect this programming or other conditioning. The assurance levels described below are a 
measure or assessment of the effectiveness with which this programming or other conditioning is 
protected." 

- "For example, protected processing environments or other secure execution spaces that are more 
impervious to tampering (such as those providing a higher degree of physical security) may use an - 
assurance level that isolates it from protected processing environments or other secure execution spaces 
that are relatively more susceptible to tampering (such as those constructed solely by software 
executing on a general purpose digital computer in a non-secure location)." ('721 6:34) 

- "The present invention may use a verifying authority and the digital signatures it provides to 
compartmentalize the different electronic appliances depending on their level of security (e.g., work 
factor or relative tamper resistance)." 

- "Assurance level I might be used for an electronic appliance(s) 6 1 whose protected processing 
environment 108 is based on software techniques that may be somewhat resistant to tampering. An 
example of an assurance level I electronic appliance 61 A might be a general purpose personal computer 
that executes software to create protected processing environment 108. An assurance level II electronic 
appliance 61 B may provide a protected processing environment 108 based on a hybrid of software 
security techniques and hardware-based security techniques. An example of an assurance level II 
electronic appliance 6 IB might be a general purpose personal computer equipped with a hardware 
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integrated circuit secure processing unit ("SPU") that performs some secure processmg outside of the 
SPU (see Ginter et al. patent disclosure FIG. 10 and associated text). Such a hybrid arrangement might 
be relatively more resistant to tampering than a software-only implementation. The assurance level III 
appliance 61C shown is a general purpose personal computer equipped with a hardware-based secure 
processing unit 132 providing and completely containing protected processing environment 108 (see 
Ginter et al. FIGS. 6 and 9 for example). A silicon-based special purpose integrated circuit security chip 
is relatively more tamper-resistant than implementations relying on software techniques for some or all 
of their tamper-resistance." 

"Assurance level in this example may be assigned to a particular protected processing environment 108 
at initialization (e.g., at the factory in the case of hardware-based secure processing units). Assigning 
assurance level at initialization time facilitates the use of key management (e.g., secure key exchange 
protocols) to enforce isolation based on assurance level. For example, since establishment of assurance 
level is done at initialization time, rather than in the field in this example, the key exchange mechanism 
can be used to provide new keys (assuming an assurance level has been established correctly)/ 

Extrinsic: 


distributing the 

first load module 

for use by at least 

nnp Hpvice in the 
unc ucth* w+ **** 

first device class 


See above. 


distributing the 
second load 
module for use 
by at least one 
device in the 
second device 
class 


See above. 


721:34 


Intrinsic: 
USP 5,757,914 
USP 4,930,703 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


arrangement 
within the first 
tamper resistant 
barrier 


Intrinsic: 

An important part of VDE provided by the present invention is the core secure transaction control 
arrangement, herein called an SPU (or SPUs), that typically must be present in each user's computer, 
other electronic appliance, or network. ('193 48:66) 

IT vtrin c ir** 


prevents the first 
secure execution 
space from 
executing the 
same executable 


Intrinsic: 

"In accordance with this feature of the invention, verifying authority 100 supports all of these various 
categories of digital signatures, and system 50 uses key management to distribute the appropriate 
verification keys to different assurance level devices. For example, verifying authority 100 may 
digitally sign a particular load module 54 such that only hardware-only based servers) 402(3) at 
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accessed by a 
second secure 
execution space 
having a second 
tamper resistant 
barrier with a 
second security 
level different 
from the first 
security level 


assurance level XI may authenticate it This compartmentalization prevents any load module executable 
on hardware^ servers 402(3) from exiting on 

software- only protected processing environment based support service 4U4U». { u\ w.u) 
Extrinsic: 


'861:58 


mtrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 C193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


creating a first 
secure container 


Intrinsic: 

- 'Tor example, the descriptive data structure may be used in a creation process 302 The creation 
process 302 may read the descriptive data structure and, in response, create an output ^400wiA a 
Predefined format such as, for example, a container 1 00 corresponding to a format described by the 
descriptive data structure 200." ('861 11:58; Fig. 3) cc 

. 'lie output ofthe layout tool 300 may be a descriptive data structure 200 m the form of, for 
example, a text file. A secure packaging process 302a may accept container specific data as an ^iput. 
In™ may also accept the descriptive data structure 200 as a read on£ input/The packager 302a could 
S based on a graphical user interface and/or it could be automated. The packager 302a packages the 
container specificdata 314 into a secure container 100. It may also package descriptive data structure 
200 into the same container 100 if desired." ('861 12:9, and see Fig. 4) 

- "Descriptive data structure 200 may provide encodings of other charactenstics m the form of 
metad2 ta that can also be used by application 506 during a process of creating, using or manipulating 
container 100." ('861 13:30) . . . 

- "This invention relates to techniques for defining, creating, and manipulating rights management 

data structures." ('861 1:23) 

- "Therefore, the container creation and usage tools must themselves be secure m the sense that they 
must protect certain details about the container design." ('861 4:59) 

- "The above-referenced Ginter et al. patent specification describes, by way of non-exhaustive 
example, "templates" that can act as a set (or collection of sets) of control mstrucnons and/or data for 
objeci control software. See, for example, the "Object Creation and Initial Control Structures 
Templates and Classes," and "object definition file," "information" method and content methods 
discussions in the Ginter et al. specification. The described templates are, in at least some examples, 
capable of creating (and/or modifying) objects in a process that interacts with user instructions and 
provided content to create an object" ('861 4:65) 

- "The DDS creation tool 800 (see FIG. 1 OA) may then package the resulting DDS 200 into a secure 
container 100 along with an associated object 830" ('861 1 9:62) 

- "In accordance with one aspect of how to advantageously use descriptive data structures in 

j „,s»v. « «™f»rr»H wnhndiment of this invention, a machine readable descriptive data structure 
accordance with a preterreo em oooimcni oi una utuiuwi, » r 

mav be created by a provider to describe the layout of the provider's particular rights management data 
structure® such as secure containers. These descriptive data structure ("DDS") templates may be used 
to create containers." ('861 6:24) ,~ An * wi 

- "Object construction stage 1230 may use information in object configuration file 1240 to assemble or 
modify a container. This process typically involves communicating a series of events to SPE 503 to 
create one or more PERCs 808, public headers, private headers, and to encrypt content, all for storage in 
the new object 300 (or within secure database 610 within records associated with the new object). 
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( 4 193 103:47) 

- "The Internet Repository 3406 VDE containerizes, including encrypts, selected object content as it 
streams out of the Repository in response to an online, user request to download an object" ('193 
313:33) 

- "The container manager 764 may, in cooperation with SPE 503, construct an object container 302 
based at least in part on parameters about new object content or other information as specified by object 
configuration file 1240. Container manager 764 may then insert into the container 302 the content or 
other information (as encrypted by SPE 503) to be included in the new object Container manager 764 
may also insert appropriate permissions, rules and/or control information into the container 302 (this 
permissions, rules and/or control information may be defined at least in part by user interaction through 
object submittal manager 774, and may be processed at least in part by SPE 503 to create secure data 
control structures). Container manager 764 may then write the new object to object repository 687, and 
the user or the electronic appliance may "register" the new object by including appropriate information 
within secure database 610. M ('193 1 04:12) [see Fig. 12A] 

Extrinsic: 


including or 
addressing . . . 
organization 
information . . . 
desired 

organization of a 
content section. . 
. and metadata 
information at 
least in part 
specifying at 
least one step 
required or 
desired in 
creation of said 
first secure 
container 


Intrinsic: 

- "metadata fields 264 (which may be part of and/or referenced by the descriptive data structure)" 
( 4 861 14:20); "include or reference" ('861 15:21); advantages of referencing ( 4 861 15:32-58); 
alternative to referencing is "explicitly include" ('861 15:59); "including or addressing" (861 .58); 
"includes a reference to" (861.69); 

- "it may be useful to store the metadata in a secure container 100 separately from DDS 200*' (*86 1 
15:35) 

- FIG. 7 shows an example of how descriptive data Structure 200 may be formatted. As mentioned 
above, descriptive data structure 200 may comprise a list such as a linked list Each list entry 260(1), 
260(2), . . . may include a number of data fields including, for example: an object name field 262, one 
or more metadata fields 264 (which may be part of and/or referenced by the descriptive data structure); 
and location information 266 (which may be used to help identify the corresponding information within 
the container data structure 100)." 

- "a descriptive dat? structure could serve as 'instructions* that drive an automated packaging 
application for digital content and/or an automated reader of digital content such as display priorities 
and organization (e.g., order and/or layout). "(' 861 7:54); 

- "a DDS 200 could serve as the 'instructions* that drive an automated packaging application for 
digital content or an automated reader of digital content" (*861 13:) 

- M ln accordance with one example, the machine readable descriptive data structure provides a 
description that reflects and/or defines corresponding structure^) within the rights management data 
structure. For example, the descriptive data structure may provide a recursive, hierarchical list that 
reflects and/or defines' a corresponding recursive, hierarchical structure within the rights management 
data structure. ... descriptive data structure may directly and/or indirectly specify where, in an 
associated rights management data structure, corresponding defined data types may be found." (*721 
5:56); 

- Issued claim 1 : a first memory storing a descriptive data structure, said descriptive data structure 
including: information regarding a first organization of elements within a secure container, said 
information including: information on the organization of said elements within said secure container; 
and information on the location of at least some of said elements within said secure container; " Issued 
claim 16: ^ing said organization information to identify a specific portion of said first secure 
container content" (see c. 17-19 re. specific specific portions) 

- Issued claim 34: "a representation of the format of data contained in a first rights management data 
structure said representation including: element information contained within said first rights 
management data structure; and organization information regarding the organization of said elements 
within said first rights management data structure; and information relating to metadata, said metadata 
including" 
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- Issued claim 45 (dependent from 34-44): "said information regarding elements contained within 
said first rights management data structure includes information relating to the location of at least one 
such element" 

- Issued claim 73: "said descriptive data structure organization information includes information 
specifying that said first secure container contents will include at least a title and a text section referred 
to by said title." 

- Issued claim 74: "said descriptive data structure organization information includes information 
specifying that said first secure container contents will include at least one advertisement" 

- Issued claim 75: "said descriptive data structure further includes information relating to the location 
at which said title, said text section and said advertisement should be stored in said first secure 
container." 

- Issued claim 76: "at least a portion of said descriptive data structure organization information 
includes information specifying fields relating to at least one atomic transaction" 

- Tor example, the FIG. 2A example descriptive data structure headline definition 202a does not 
specify a particular headline (e.g., "Yankees Win the Pennant!"), but instead defines the location (for 
example, the logical or other offset address) within the container data structure 100a (as well as certain 
other characteristics) in which such headline information may reside." ('861 10:54); 

"layout "hints" and field definitions (e.g., text, text block, integer, file, image or other data type) " ( l 861 
16:49) 

- "A method of creating a first secure container, said method including the following steps;" ('861 this 
claim 58) 

"Descriptive data structure 200 can, for example, tell application 506 to always display a certain field 
(e.g., the author or copyright field) and to never display other information (e.g., information that should 
be hidden from most users)." ('861 13:) 

Extrinsic: 


at least in part 
determine 
specific 
information 
required to be 
included in said 
first secure 
container . 
contents 


Intrinsic: 

- "Descriptive data structure 200 may provide encodings of other characteristics in the form of 
metadata that can also be used by application 506 during a process of creating, using or manipulating 
container 100. The DDS 200 can be used to generate a software program to manipulate rights 
management structures. For example, a DDS 200 could serve as the * instructions' that drive an 
automated packaging application for digital content or an automated reader of digital content" ('861 
13:30);. 

- "such metadata may impose integrity or other constraints during the creation and/or usage process 
(e.g., "when you create an object, you must provide this information", or "when you display the object, 
you must display this information")." ('861 15:25); "many possible integrity constraints.... Required: 
... Optional ... Required relationship ... Optional relationship ... Repetition" ('861 16:15); 

- " "construction type" metadata (upon object construction, the information is required; upon object 
construction, the object creation tool is to always or never prompt for the information)" (*861 16:41); 
The descriptive data structure can be used to generate one or more portions of software programs that 
manipulate rights management structures. For example, a descriptive data structure could serve as 

* instructions* that drive an automated packaging application for digital content and/or an automated 
reader of digital content such as display priorities and organization (e.g., order and/or layout)." ('863 
7:51) 

"In use, electronic appliance 500 may access secure container 100 and-in accordance with rules 316— 
access the descriptive data structure 200 and content 102 it contains and provide it to application 506. 
The interpreter 508 within application 506 may, in turn, read and use the descriptive data structure 
200." 

For example, suppose the application 506 wants to display the "headline" information within newspaper 
style content shown in FIG. 2 A. Application 506 may ask interpreter 508 to provide it with information 
that will help it to locate, read, format and/or display this "headline" information." (*861 12:57) 
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Extrinsic: 


rule designed to 
control at least 
one aspect of 
access to or use 
of at least a 
portion of said 
first secure 
container 
contents 


Intrinsic: 

Prosecution History of % 86 1 Patent: 

"Claims [1,10,25,26] are rejected under 35 U.S.C. 102(b) as being clearly anticipated by the common 
and decades-old practice of using database schema to describe the structure of a database which 
requires password/identifications for access. ... Claims [1-17,25-26] are rejected under 35 U.S.C. 
102(a) as being anticipated by Anderson et al (Anderson), USP 5,537,526, Method and Apparatus for 
Processing a Display Document Utilizing a System Level Document. The claims are rejected on the 
basis of the correspondence between the teachings of Anderson and the elements of the claims as 
follows: As to claim 1 (and 10), the TabstractModel 502 is a machine readable, abstract descriptive 
data structure which interoperates with Tmodels 506 (TM), and TmodelSurrogates 504 (TMS). ... 
These models are clearly data structures, and while they can be of many types, the data they manage 
can include restrictions that correspond to rights management. " 

08/805,804 ('861), Office Action, 06/25/98, p. 2-3 

- "The rights management environment in which DigiBox.*TM. containers are used allows commerce 
participants to associate rules with the digital information (content)." ('861 1:50) 

- "For example, a creator of content can package one or more pieces of digital information with a set 
of rules in a DigiBox secure container-such rules may be variably located in one or more containers 
and/or client control nodes-and send the container to a distributor. The distributor can add to and/or 
modify the rules in the container within the parameters allowed by the creator. The distributor can then 
distribute the container by any rule allowed (or not prohibited) means— for example, by communicating 
it over an electronic network such as the Internet. A consumer can download the container, and use the 
content according to the rules within the container. The container is opened and the rules enforced on 
the local computer or other In terTrust- aware appliance by software InterTrust calls an InterTrust 
Commerce Node. The consumer can forward the container (or a copy of it) to other consumers, who can 
(if the rules allow) use the content according to the same, differing, or other included rules-which rules 
apply being determined by user available rights, such as the users specific identification, including any 
class membership^) (e.g., an automobile club or employment by a certain university). In accordance 
with such rules, usage and/or payment information can be collected by the node and sent to one or more 
clearinghouses for payment settlement and to convey usage information to those with rights to receive 
it" ( 4 861 2:13) 

- "Descriptive data structure 200 may supply integrity constraints or rules that protect the integrity of 
corresponding content during use of and/or access to the content." ("861 12:2) 

- "For example, DDS 200 can specify that an article of a newspaper cannot be viewed without its 
headline being viewed. The corresponding integrity constraint can indicate the rule * if there is an article, 
mere musi aiso oe aneauiine . ^ ooi lv.z) 

"In this example, each target data block 801 includes rule (control) information. Different target data 
blocks 801 can provide different rule information for different target environments 850. The rule 
information may, for example, relate to operations (events) and/or consequences of application program 
functions 856 within the associated target environment 850 such as specifying:" ('861 18:33) 

Extrinsic: 


'891:1 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 ('1 93), Examiner's Amendment, 08/04/00, p. 2 
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See "Virtual Distribution Environment" above. 


resource 
processed in a 
secure operating 
environment at a 
first appliance 


Intrinsic: 

- Prosecution History of Application 08/388,107 (issued at l 891): 
"Please amend the remaining claims as follows: 

15 (Amendfd) A m'th" 1 *™ [m*m» £ in £ ] using at least one resource fwithl processed in a secure 
operating environment at a first appliance, said method comprising: 

5eclUT jy r^-Aj^no « r,«t Pntity'c rnntrnl [from a first entitvTat said first appliance, said first entity 
beine located remoterv from [external to] said operating environment and said first appliance: 
securely receiving a second entir/s control [from a second entitvl at said first appliance, said second 
entity beine located remotely from fextemal to] said operating environment and said first appliance, 
said second entity being different from said first entity; and 

oamiMKi ni>Ar>»eetn0 o data if pm nt cfliH first annliance us in p at least one resource [, a data item 
securely DrocessuiR a oaia ucm m smuu iual evpii»uwv, *** * * w " «»»^ww— » l> 

ac-ociated with said first and 5«rn^ «mtmk ; and], including securelv applvina, at said first. appliance 

throueh use of said at least one resource, said first entity's control and said second entity's control 


[wmtmk] to [manage said resource fori govern use [with] of said data item." 

08/388,1 07, Amendment, 06/20/97, p. 2 (MSI028825) 

Extrinsic: 


securely 

rcwcivuig <* ui»*. 

entity's control at 
said first 
appliance 


See above. 


securely 
receiving a 
second entity's 
control at said 
first appliance 


See above. 


securely 

processing a data 
item at said first 
appliance, using 
at least one 
resource 


Intrinsic: 

"a protected processing environment, coupled to said communications arrangements, that (a) securely 
processing, using at least one resource, a data item associated with said first and second controls, and 
(b) securely applies said first and second controls to manage said resources for use of said data item." 
(08/388,107 page 781 claim 75) 

Extrinsic: 


securely 

applying, at said 

III a l _ ajjpiioi 1 1* 

through use of 
said at least one 
resource said first 
entity's control 
and said second 
entity's control to 
govern use of 
said data item 


Intrinsic: 

"Such secure combination of VDE manage pieces of content will frequently require VDE's ability to 
securely derive content control information which accommodates the control information requirements, 
including any combinational rules, of the respective VDE managed pieces of content and reflects an 
acceptable agreement between plural control information sets." (293:12 

Extrinsic: 


•900:155 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
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distribution environment" 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 

Prosecution History of '900: 

Claims 302, 32 1 and 322, as pending: 

"302. A virtual distribution environment comprising 

• a first host processing environment comprising 

• a central processing unit; 

• main memory operatively connected to said central processing unit; 

• mass storage operatively connected to said central processing unit and said main 
memory; 

• said mass storage storing tamper resistant software designed to be loaded into said 
main memory and executed by said central processing unit, said tamper resistant 
software comprising: 

• machine check programming which derives information from one or more aspects of 
said host processing environment, 

• one or more storage locations storing said information; and 

• integrity programming which 

• causes said machine check programming to derive said information, 

• compares said information to information previously stored in said one or more 
storage locations, and 

• generates an indication based on the result of said comparison. 

321. A virtual distribution environment as in claim 302, 

• said virtual distribution environment further comprising programming which takes 
one or more actions based on the state of said indication. 

322. A virtual distribution environment as in claim 321 in which said one or more actions 
includes at least temporarily halting further processing." 

(08/706,206 ('900), Amendment, 06/09/98, 92-93, 96, 96-97) 

"Claims ... 322-324, ... are objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including all of the limitations of the base claim and any 
intervening claims." 

08/706,206 (*900), Office Action, 08/27/98, p. 2 



"322. A virtual distribution environment comprising 

• a first host processing environment comprising 

• a central processing unit; 

• main memory operatively connected to said central processing unit; 

• mass storage operatively connected to said central processing unit and said 
main memory; 

• said mass storage storing tamper resistant software designed to be loaded 
into said main memory and executed.by said central processing unit, said tamper 
resistant software comprising: 

• machine check programming which derives information from one or more 
aspects of said host processing environment, 

• one or more storage locations storing said information; 

• integrity programming which 

o causes said machine check programming to derive said information, 

o compares said information to information previously stored in said 

one or more storage locations, and 
o generates an indication based on the result of said comparison; and 

• programming which takes one or more actions based on the state of said 
indication; 

• said one or more actions including at least temporarily halting further 
processing." 

(pg. 27-28) 

Remarks, "Applicants appreciate the indication that claims ... are allowed and that claims ... 322-324 
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are objected to but would be allowable if rewritten into independent form. ... For purposes of 
expedition, applicants are cancelling the rejected claims without prejudice and are rewriting 
objected to dependent claims into independent form." (pg. 42) 
08/706,206 ( 4 900), Amendment, 1 1/23/98, p. 27-28, 42 


first host 
processing 
environment 
comprising . 


See above. 


said mass storage 
storing tamper 
resistant software 


See above. 


designed to be 
loaded into said 
main memory 
and executed by 
said central 
processing unit 


See above. 


eniH tamnftf 

resistant software 
comprising: . . . 
one or more 
storage locations 
storing said 
information 


Intrinsic: 

"Referring once again to FIG. 69B, the installed operational materials 3472 may be further customized 
for each instance by making random changes to reserved, unused portions of the operational materials 
(FIG. 69B, block 3470(6)). An example of this is shown in FIG. 69E. In this example, the operational 
materials 3472 include unused, embedded random data or code portions 3494." 

Extrinsic: 


derives 

information from 
one or more 
aspects of said 
host processing 
environment, 


Intrinsic: 

0900 73:1 - 80: 6); C900 230:55 - 233:34); ( 4 900 235:28-244:15); Figs. 69A-N 


one or more 
storage locations 
storing said 
information 


Intrinsic: 

"Referring once again to FIG. 69B, the installed operational materials 3472 may be further customized 

{Vv*. 0Q .U ififtan/«A K\/ ma Vino ranHntn /*Kanopc to r^Cf*r\/^n linilQCfl nfTTtlATl^ fli tnC OT^CrfltlOTlS] TTlStCnsl^ 
IOi BoCIl Uli>uifJwC Dy HI fits IP r loilUUUi Ulnll etTTY WJ ICju V&U, uuiuwW uui iiuuj wi u*w vi/bi uiiuuni matvi >uu 

(FIG. 69B, block 3470(6)). An example of this is shown in FIG. 69E. In this example, the operational 
materials 3472 include unused, embedded random data or code portions 3494." 


information 
previously stored 
in said one or 
more storage 
locations 


Intrinsic: 
See terms. 


generates an 
indication based 
on the result of 
said comparison 


See terms. 


programming 
which takes one 
or more actions 
based on the state 
of said indication 


Intrinsic: 

Claim 321, as pending: 

"32 1 . A virtual distribution environment as in claim 302, 
said virtual distribution environment further comprising programming which takes one or more actions 
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based on the state of said indication." 
08/706,206 C900), Amendment, 06/09/98, p. 96 


at least 
temporarily 
halting further 
processing 


See halting. 


'912:8 


"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 C193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


identifying at 
least one aspect 
of an execution 
space required 
for use and/or 
execution of the 
load module 


Intrinsic: 

"For each site, the manufacturer generates a site ID 2821 and list of site characteristics 2822." ( l 193 
209:55) 


said execution 
space identifier 
provides the 
capability for 
uisnn guisning 
between 

execution spaces 
providing a 
higher level of 
security and 
execution spaces 
providing a lower 
level of security 


Extrinsic: 

See generally processor identification field, memory maps, and address spaces. 
(Tanenbaum, A., Modern Operating Systems, MSI096004) 


checking said 
record for 
validity prior to 
performing said 
executing step 


Extrinsic: 

Validity Check: The process of analyzing data to determine whether it conforms to predetermined 
completeness and consistency parameters. (Microsoft Computer Dictionary, 3 rd ed. 1997) 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 99 of 100 




Claim Term 


MS Construction 


*912:35 


me instani appncanon is one 01 a series 01 appneauons which cue on generally uircwieu 10 a vuxuai 
distribution environment." 

09/208,017 01 93), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


received in a 
secure container 


See terms. 


said component 
assembly 
allowing access 
to or use of 
specified 
information 


See terms. 


said first 
component 
assembly 
specified by said 
first record 


See terms. 
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Exhibit E 

Microsoft's Statement of Reservations 

Microsoft provides its attached claim construction for each of the 12 "Mini- 
Markman" claims, subject to the limitations and reservations of rights set forth herein. 

Claim Invalidity: Microsoft does not waive any defenses that the asserted claims 
fail to satisfy the provisions of 35 U.S.C. § 1 12, including, for example, the written 
description requirement, the definiteness requirement, or any other requirement for 
patentability. Microsoft does not concede that the asserted claims are supported by 
Plaintiffs original "big book" application or any application from which they purportedly 
claim priority. By offering a construction of a term, Microsoft does not waive any 
defense that the claim is indefinite and there can be no proper construction. 

Continuing Discovery: Microsoft reserves the right to modify its claim 
constructions in light of ongoing claim construction discovery. Microsoft reserves the 
right to modify or supplement its cited extrinsic evidence in light of information which is 
provided in continuing claim construction discovery, or information which has already 
been provided but too recently, or in too high a volume, or in other manner inhibiting its 
full review, such as InterTrust's re-production of over 1 ,000,000 pages on November 4, 
2002. 

Intrinsic Evidence: For the purposes of submission of this claim construction 
only, Microsoft treats the "intrinsic" evidence as including: 1) the specifications of each 
of the seven U.S. patents at issue in the "Mini- Markman " proceeding, including any 
material purportedly incorporated by reference therein; 2) the prosecution history of each 
of the seven patents at issue, including the applications and prosecution history of the 
seven patents and any related patent applications, including without limitation, 
applications purportedly incorporated by reference or to which an application claimed 
priority; and 3) all references cited in the prosecution of any such applications. 




Microsoft does so without waiving the right to contest whether some of this information 
is or is not properly part of the intrinsic evidence. 




Exhibit F 

Dr. Reiter is expected to testify as follows: 

1. Dr. Reiter will testify regarding the meaning of the disputed claim elements to 
one of ordinary skill in the art, taking into account the understood meaning of the terms 
in the art, the patent specifications and the file histories. He will testify as follows: 

a. InterTrust's proposed definitions, attached as Exhibit B to the Joint Claim 
Construction Statement ("JCCS") are consistent with the use of the terms or phrases in 
the specification and the relevant art. Those definitions are attached hereto. Citations to 
supporting specification text and relevant art can be found in Exhibit C to the JCCS. 

b. Microsoft has made repeated substantial changes to its proposed definitions, 
the changes continuing up to shortly before the present document was prepared. For this 
reason, it is impossible to include detailed responses to the issues raised by those 
definitions. 

In general, however, the Microsoft definitions incorporate restrictions that are 
inconsistent with specification use of the terms and/or inconsistent with the 
understanding of the terms in the art. Those inconsistencies are demonstrated by the 
attached supporting evidence. The following discussion lists one or more serious 
deficiencies in each Microsoft definition, but is not intended as a comprehensive 
description of all such deficiencies. 

Individual terms 

Access/Access to/Accessing/Accessed 

The first sentence of Microsoft's definition is generally consistent with the 
InterTrust definition. The second sentence of the Microsoft definition is based on a 
specific disclosed embodiment, and is inconsistent with general use of the term in the 
specifications. 

Addressing 

The two parties' definitions are very close. Microsoft's definition is, however, 
improper in its apparent exclusion of indirect addressing. 

Allowing, allows 

Microsoft's definition is based on a specific disclosed embodiment and ignores 
other embodiments. See InterTrust's supporting evidence. 



Arrangement 




Microsoft's definition requires particular types of organizations and is therefore 
inconsistent with the patent specifications. 

Aspect 

Microsoft's definition is overly restrictive in its requirement that an aspect be 
"persistent" and that it "can be used to distinguish [an environment] from other 
environments." 

Associated with 

Microsoft's definition incorporates restrictions based on a particular embodiment 
and is inconsistent with other disclosed embodiments and with the general meaning of the 
term. 

Authentication 

Microsoft's definition requires multiple types of authentication, in a manner not 
required by use of this term in the specification or the art. Moreover, some of these types 
cannot be applied (e.g., "origin integrity" applied to an organization). 

Authorization information, Authorized, Not authorized 

Microsoft's definitions are based on specific embodiments and contradicted by 
alternative embodiments disclosed in the specifications. 

Budget control; Budget 

Microsoft's definition improperly restricts "budget" to a particular type of 
method, and improperly restricts Budget Control in a manner inconsistent with the 
specification. 

Can be 

Microsoft's definition incorporates the language "which otherwise cannot be 
carried out." This language is inconsistent with the specifications. 

Capacity 

The Microsoft definition relates to hardware storage devices, a context that is 
irrelevant to use of the term in the relevant claim. 

Clearinghouse 

Microsoft's definition is inconsistent with use of this term in the specifications. 
See InterTrust's supporting evidence. 



Compares; Comparison 

Microsoft's definition is based on a particular type of processor operation, a 
context that is not discussed in the specification and not required by the claim. 

Component assembly 

Microsoft's definition incorporates a large number of restrictions based on 
specific embodiments and ignoring alternate embodiments. 

Contain, contained, containing 

Microsoft's definition requires "physically" or "directly" storing, and 
distinguishes Addressing. This is inconsistent with use of the term in the specification. 

Control (n.); Controls (n.) 

The Microsoft definition incorporates a large number of restrictions based on 
specific embodiments, and ignores alternate embodiments described in the specifications. 

Controlling; Control (v.) 

The Microsoft definition incorporates limitations that are not required by the 
specification, including limitations contradicted by use of the term in the specifications 
and by disclosed embodiments. 

Copied file 

The Microsoft definition improperly distinguishes "copied file" from "copy." 

Copy, copied, copying (v.) 

The Microsoft definition is internally inconsistent, since it both prohibits and 
allows changes in the reproduced file. That definition also incorporates examples that are 
inconsistent with use of the terms in the claims. 

Copy control 

The Microsoft definition is inconsistent with use of this term in the claim. 
Data item 

The Microsoft definition incorporates limitations not present in the InterTrust 
definition. These limitations are not required by the specification or normal use of the 
term in the art. 



Derive, Derives 

The Microsoft definition requires retrieval, a concept not required by the 
specifications or use of this term in the claim. 

Descriptive data structure 

Limitations in the last two sentences of the Microsoft definition are inconsistent 
with described embodiments and are not required by the specifications or use of the term . 
in the claims. 

Designating 

The Microsoft definition does not apply to this term, but instead to the claim 
phrase in which the term is found. That claim phrase is separately defined. 

Device class 

The Microsoft definition is inconsistent with the definition given to this term 
during prosecution. 

Digital file 

The Microsoft definition is overly restrictive. The limitations is incorporates are 
not required by the specification, use of the term in the claims or general use in the 
relevant art. 

Digital signature; Digitally signing 

The Microsoft definition of digital signature requires that the string be 
"computationally unforgeable," a characteristic that is impossible to obtain. The 
Microsoft definition of digitally signing requires a secret key, and also includes 
significant background discussion not necessary for the definition. 

Entity's control 

Microsoft's definition improperly requires control of a "particular use of or access 
to particular protected information by a particular user(s)." No such requirements are 
imposed by the term, the claim or the specifications. 

Environment 

Microsoft does not appear to have provided any definition for this term. 
Executable programming; Executable 




Microsoft's requirement of "machine code instructions" is inconsistent with use 
of this term in the specifications. In addition, Microsoft's definition of "computer 
program" imposes limitations not required by these terms. 

Execution space; Execution space identifier 

Microsoft's definition of Execution Space is inconsistent with the explicit 
definition given to this term during prosecution. Microsoft's definition of Execution 
Space Identifier improperly requires "unique" identification. 

Governed item 

Microsoft's definition of Governed Item requires arbitrarily fine granularity and 
control of "access and use by any user, process, or device." Neither the term nor the 
specifications require such limitations. 

Halting 

The Microsoft definition requires execution be "unconditionally" stopped. The 
specification imposes no such requirement, and the Microsoft definition appears to be 
based on a particular type of instruction that is not mentioned in the patents. 

Host processing environment 

The Microsoft definition incorporates the term "VDE node," a term that is itself 
defined at great length, incorporating numerous improper limitations. The Microsoft 
definition also improperly incorporates restrictions based on privileged mode versus user 
mode, and "loaded" software. In addition, the Microsoft definition improperly excludes 
hardware. 

Identifier, Identify, Identifying 

The Microsoft definitions improperly restrict these terms to "particular instances.' 
Including 

The definitions are consistent, except that the hardware portion of Microsoft's 
definition requires "physically present within." This is inconsistent with use of the term 
in the claims. 

Information previously stored 

Microsoft's definition would render the claim nonsensical, since it would require 
a comparison involving information that is no longer available for the comparison. 



Integrity programming 

The Microsoft definition is internally inconsistent, improperly incorporates the 
term Executable Programming and improperly defines integrity as excluding all 
alterations. 

Key 

Microsoft's exclusion of "key seed or other information from which the actual 
encryption and/or decryption key is constructed, derived, or otherwise identified" is 
inconsistent with the specification and general use of the term in the relevant art. 

Load module 

Microsoft's definition imposes numerous limitations beyond those identified in 
the InterTrust definition. Those additional limitations are not required by the term and 
are inconsistent with embodiments disclosed in the specifications. 

Machine check programming 

The Microsoft definition improperly requires Executable Programming and a 
"unique 'machine signature' which distinguishes the physical machine from all other 
machines." These limitations are not required by the term. 

Opening secure containers 

The Microsoft definition improperly distinguishes "opening" from decrypting, 
and improperly incorporates limitations based on a particular embodiment of opening. 

Operating environment 

See Processing Environment. 
Organization, Organization information, Organize 

The Microsoft definitions improperly incorporate concepts related to physical 

storage. 
Portion 

The Microsoft definition improperly implies that presence of a "portion" excludes 
presence of the whole. 



Prevents 




The Microsoft definition requires a level of certainty that is inconsistent with the 
specification and impossible to obtain. 

Processing Environment 

The Microsoft definition incorporates a specific embodiment and would exclude 
other embodiments disclosed for this term. 

Protected processing environment 

The Microsoft definition incorporates at least several dozen highly restrictive and 
unnecessary limitations, and appears to combine restrictions from multiple separate 
embodiments. 

Protecting 

The incorporation of Security into the Microsoft definition is improper, since that 
term is considerably more general than the manner in which Protecting is used in the 
claim. 

Record 

The Microsoft definition includes limitations beyond those incorporated in the 
InterTrust definition. These added limitations are not required by use of this term in the 
claims, specification, or art. 

Required 

The Microsoft definition implies a degree of absoluteness that is inconsistent with 
the specification. The second sentence of the Microsoft definition is unsupported by the 
specification or normal use of the term. 

Resource processed 

The Microsoft definition improperly requires a "shared facility," and that the 
resource be "required by a job or task." These are not required by the claim or 
specification. 

Rule 

The Microsoft definition improperly distinguishes Rules from Controls, and 
imposes an unsupported requirement that a Rule be a "lexical statement." 



Secure 




The Microsoft definition requires absolute protection against all possible threats, 
and is therefore inconsistent with use of the term in the specification, the claims, and the 
relevant art. 

Secure container 

The requirements imposed by the Microsoft definition are either inconsistent with 
the specification or ignore disclosed embodiments. 

Secure container governed item 

The Microsoft definition imposes a requirement of absolute security that is 
inconsistent with the specification and ignores alternate disclosed embodiments. 

Secure database 

The Microsoft definition improperly defines "database" in accordance with one 
particular type of database, and improperly imposes a requirement of absolute security 
that is inconsistent with the specification. 

Secure execution space 

The Microsoft definition is inconsistent with and excludes embodiments of Secure 
Execution Spaces described in the specification. 

Secure memory 

Microsoft's definition of "memory" improperly excludes virtual memory. 
Microsoft's definition of Secure Memory includes numerous restrictions not supported by 
the specification. 

Secure operating environment, Said operating environment 

See Secure Processing Environment. 

Securely applying 

Microsoft's definition of "securely" is inconsistent with and excludes 
embodiments described in the specification. 

Microsoft's definition of Securely Applying improperly includes limitations from 
specific embodiments, as well as limitations not required by the specification or claims. 



Securely assembling 



The Microsoft definition incorporates limitations from specific embodiments, and 
ignores alternate embodiments not requiring those limitations. 

Securely processing 

The Microsoft definition improperly incorporates a requirement of a secure 
execution space. This requirement is inconsistent with embodiments described in. the 
specification. 

Securely receiving 

The Microsoft definition is based on limitations taken from a particular 
embodiment and ignores alternate embodiments. 

Security level, Level of security 

The Microsoft definition improperly requires an "ordered measure" and 
persistence. The second and third sentences from the Microsoft definition are 
unsupported by any disclosure in the specifications. 

Tamper resistance 

The Microsoft definition improperly requires a tamper resistant barrier. 

Tamper resistant barrier 

The Microsoft definition describes a specific embodiment, and is inconsistent 
with alternate embodiments described in the specifications. 

Tamper resistant software 

The Microsoft definition improperly requires a tamper resistant barrier. 

Use 

The second sentence of the Microsoft definition improperly incorporates 
limitations from a particular embodiment. 

User controls 

The Microsoft definition is inconsistent with the claim and the prosecution 

history. 
Validity 




The Microsoft definition improperly incorporates the concept of "authentication," 
and applies only to data. 

Virtual distribution environment 

See Global Construction of VDE. 
Claim phrases 
193.1 

receiving a digital file including music 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

a budget specifying the number of copies which can be made of said digital file 

The Microsoft definition improperly includes "copies" that are not "long-lived, 
decrypted or accessible." The Microsoft definition also ignores embodiments involving 
alternative control structures. 

controlling the copies made of said digital file 

The Microsoft definition improperly incorporates limitations from particular 
embodiments, ignores embodiments describing alternative control structures and imposes 
numerous limitations that are not supported by the specification or claim language. 

determining whether said digital file may be copied and stored on a second device 
based on at least said copy control 

The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that "the" file, as opposed 
to a copy, be stored on a second device, excludes described alternative embodiments and 
requires an absolute degree of control that is inconsistent with the specification. 

if said copy control allows at least a portion of said digital file to be copied and 
stored on a second device 

The Microsoft definition's "explanation" of the branches makes no sense and is 
. unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said digital file 




The Microsoft definition improperly distinguishes a "copy" and (i the" file, and 
improperly excludes embodiments described in the specification. 

transferring at least a portion of said digital file to a second device 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 
described in the specification. 

storing said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly requires storage of the entire file rather than a portion. 

193.11 

receiving a digital file 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

determining whether said digital file may be copied and stored on a second device 
based on said first control 

The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that "the" file, as opposed 
to a copy, be stored on a second device, excludes described alternative embodiments and 
requires an absolute degree of control that is inconsistent with the specification. 

identifying said second device 

The Microsoft definition improperly requires that the identification distinguish the 
device from all other devices, that controls be used and that a VDE Secure Processing 
Environment be used. 

whether said first control allows transfer of said copied file to said second device 

The Microsoft definition improperly distinguishes a "copy" from "the" file, and 
ignores embodiments describing alternative control structures. 

said determination based at least in part on the features present at the device 

The Microsoft definition improperly requires that all features be used, that these 
be "actual, current" features and improperly excludes device identifiers. 




if said first control allows at least a portion of said digital file to be copied and 
stored on a second device 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification. 

transferring at least a portion of said digital file to a second device 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 
described in the specification. 

storing said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly requires storage of the entire file rather than a portion. 

193.15 

receiving a digital file 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls, and the requirement that 
the step must proceed in both authentication branches is not supported in the claim. 

an authentication step comprising: 

The Microsoft definition improperly includes a requirement of an absence of trust, 
VDE controls and a VDE Secure Processing Environment. 

accessing at least one identifier associated with a first device or with a user of said 
first device 

The Microsoft definition improperly requires "securely" accessing, that an . 
identifier identify a "single" user or device (but not "and"), VDE controls, and a VDE 
Secure Processing Environment. 

determining whether said identifier is associated with a device and/or user 
authorized to store said digital file 




The Microsoft definition improperly requires VDE controls and a VDE Secure 
Processing Environment. 

storing said digital file in a first secure memory of said first device, but only if said 
device and/or user is so authorized, but not proceeding with said storing if said 
device and/or user is not authorized 

The Microsoft definition ignores embodiments describing alternative control 
structures, and improperly requires that "the" file be stored, as opposed to a copy, VDE 
controls, and a VDE Secure Processing Environment. 

storing information associated with said digital file in a secure database stored on 
said first device, said information including at least one control 

Microsoft's definition improperly requires that the stored information be 
associated with the digital file but not the digital file's contents, VDE controls, a VDE 
Secure Processing Environment and that the step proceed regardless of the outcome of 
the authentication step. 

determining whether said digital file may be copied and stored on a second device 
based on said at least one control 

The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that 4t the" file, as opposed 
to a copy, be stored on a second device, excludes described alternative embodiments, 
requires an absolute degree of control that is inconsistent with the specification, and 
requires that the step proceed regardless of the outcome of the authentication step. 

if said at least one control allows at least a portion of said digital file to be copied 
and stored on a second device, 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification and improperly requires 
that the step proceed regardless of the outcome of the authentication, step. 

transferring at least a portion of said digital file to a second device 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 



described in the specification, and improperly requires that the step proceed regardless of 
the outcome of the authentication step. 

storing said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly requires storage of the entire file rather than a portion, and improperly 
requires that the step proceed regardless of the outcome of the authentication step. 

193.19 

receiving a digital file at a first device 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

establishing communication between said first device and a clearinghouse located at 
a location remote from said first device 

The Microsoft definition improperly requires a communications channel and that 
the communications channel was "previously non-existent." 

using said authorization information to gain access to or make at least one use of 
said first digital file 

The Microsoft definition improperly requires that "all of the authorization 
information be used, VDE controls, a VDE Secure Processing Environment, and ignores 
embodiments describing alternative control structures. 

receiving a first control from said clearinghouse at said first device 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

storing said first digital file in a memory of said first device 

The Microsoft definition improperly requires VDE controls and a VDE Secure 
Processing Environment. 

using said first control to determine whether said first digital file may be copied and 
stored on a second device 



The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that "the" file, as opposed 



to a copy, be stored on a second device, excludes described alternative embodiments and 
requires an absolute degree of control that is inconsistent with the specification. 

if said first control allows at least a portion of said first digital file to be copied and 
stored on a second device 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said first digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification. 

transferring at least a portion of said first digital file to a second device including a 
memory and an audio and/or video output 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 
described in the specification. 

storing said first digital file portion 

Microsoft's definition improperly distinguishes a "copy" and "the" file. 

683.2 

the first secure container having been received from a second apparatus 

Microsoft's definition improperly requires that the first secure container identify 
the apparatus from which it was received, and improperly argues that, in the absence of 
such identification, that container could not be distinguished from a container created at 
the site. Microsoft's definition includes numerous improper limitations, including 
authenticating a recipient and authentication occurring in accordance with VDE controls. 
The examples cited by Microsoft are misleading, since these are specific embodiments 
rather than general requirements. 

an aspect of access to or use of 

Microsoft's definition improperly excludes rules governing more than one aspect, 
improperly excludes access and use and improperly requires that the aspect be governed 
in relation to. "any and all processes, users, and devices." 

the first secure container rule having been received from a third apparatus different 
from said second apparatus 




Microsoft's definition improperly requires that the first secure container identify 
the apparatus from which it was received, and improperly argues that, in the absence of 
such identification, that container could not be distinguished from a container created at 
the site. Microsoft's definition includes numerous improper limitations, including receipt 
in a secure container, authenticating a recipient and authentication occurring in 
accordance with VDE controls. 

hardware or software used for receiving and opening secure containers 

Microsoft's definition improperly requires a Secure Processing Environment and 
SPU, improperly requires "the same single logical piece of either hardware or software 
(as opposed to both), " and improperly requires authentication and VDE controls. 

said secure containers each including the capacity to contain a governed item, a 
secure container rule being associated with each of said secure containers 

The Microsoft definition improperly requires that rules be associated with secure 
containers, as opposed to governed items. 

protected processing environment at least in part protecting information contained 
in said protected processing environment from tampering by a user of said first 
apparatus 

The Microsoft definition is unsupported in the specification. It is contradicted by 
the claim and improperly requires numerous elements not required by the specification, 
including a Secure Processing Environment. 

hardware or software used for applying said first secure container rule and a second 
secure container rule in combination to at least in part govern at least one aspect of 
access to or use of a governed item contained in a secure container 

The Microsoft definition improperly requires a Secure Processing 
Environment/SPU, a "single" piece of hardware or software, assembly of a control and 
governance through VDE controls. 

hardware or software used for transmission of secure containers to other 
apparatuses or for the receipt of secure containers from other apparatuses. 

The Microsoft definition improperly requires a Secure Processing 
Environment/SPU, a "single" piece of hardware or software, assembly of a control and 
governance through VDE controls. The examples cited by Microsoft are misleading, 
since these are specific embodiments rather than general requirements. 



721.1 




digitally signing a first load module with a first digital signature designating the first 
load module for use by a first device class 

The Microsoft definition improperly requires that the digital signature be used as 
the signature key, that all load modules be signed and that certain devices not have keys. 

digitally signing a second load module with a second digital signature different from 
the first digital signature, the second digital signature designating the second load 
module for use by a second device class having at least one of tamper resistance and 
security level different from the at least one of tamper resistance and security level 
of the first device class 

The Microsoft definition improperly requires that the digital signature be used as 
the signature key, that all load modules be signed, that certain devices not have keys, that 
security levels be persistent and that security levels be greater or less than other security 
levels. 

distributing the first load module for use by at least one device in the first device 
class 

The Microsoft definition improperly requires transmission and that the digital 
signature accompany the first load module as distributed. 

distributing the second load module for use by at least one device in the second 
device class 

The Microsoft definition improperly requires transmission and that the digital 
signature accompany the first load module as distributed. 

721.34 

arrangement within the first tamper resistant barrier 

The Microsoft definition improperly requires that the arrangement be "executed 
wholly within the first tamper resistant barrier." 

prevents the first secure execution space from executing the same executable 
accessed by a second secure execution space having a second tamper resistant 
barrier with a second security level different from the first security level 

The Microsoft definition improperly requires that the second secure execution 
space be part of the protected processing environment, that security level differences be 
persistent and higher or lower than each other and that the "same" executable be 
executed. 



861.58 




creating a first secure container 

The Microsoft definition improperly requires a VDE Secure Processing 
Environment. 

including or addressing . * . organization information . . . desired organization of a 
content section. . . and metadata information at least in part specifying at least one 
step required or desired in creation of said first secure container 

The second paragraph from Microsoft's definition is inconsistent with the claim. 
The limitations imposed by the third paragraph are not required by the claim or 
specification. 

at least in part determine specific information required to be included in said first 
secure container contents 

The Microsoft definition improperly excludes other reasons for inclusion of the 
information and improperly requires specific values. 

rule designed to control at least one aspect of access to or use of at least a portion of 
said first secure container contents 

The Microsoft definition improperly requires that the rule be designed for 
particular contents, that the rule be used by VDE controls, the presence of a VDE Secure 
Processing Environment and that the rule is generated or identified based on the 
descriptive data structure. Microsoft's definition also excludes embodiments describing 
alternative control structures. 

891.1 

resource processed in a secure operating environment at a first appliance 

The Microsoft definition improperly requires a shared facility and a Secure 
Processing Unit with specific features. 

securely receiving a first entity's control at said first appliance 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication, use of controls and encryption on the communications 
level. 

securely receiving a second entity's control at said first appliance 




The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication, use of controls and encryption on the communications 
level. 

securely processing a data item at said first appliance, using at least one resource 

The Microsoft definition improperly requires a Secure Processing Unit including 
numerous limitations. 

securely applying, at said first appliance through use of said at least one resource 
said first entity's control and said second entity's control to govern use of said data 
item 

The Microsoft definition improperly requires a Secure Processing Environment 
consisting of a Secure Processing Unit and that the resource be a component part of a 
secure operating environment. 

900.155 

first host processing environment comprising 

The Microsoft definition incorporates limitations not required by the claim or the 
specifications, including limiting the host processing environment to only currently 
executing software. 

designed to be loaded into said main memory and executed by said central 
processing unit 

The Microsoft definition improperly requires that the software is capable of being 
loaded "only" in the main memory and executed "only" by the CPU. 

said tamper resistant software comprising: . . . one or more storage locations storing 
said information 

The Microsoft definition improperly requires that the storage locations be part of 
the machine check programming and that the storage locations must not store other 
information. 

derives information from one or more aspects of said host processing environment, 

The Microsoft definition improperly requires that information be derived from 
"hardware," and that the information "uniquely and persistently" identify the host 
processing environment. 

one or more storage locations storing said information 




The Microsoft definition improperly requires that the storage locations be part of 
the tamper resistant software and that the storage locations must not store other 
information. 

information previously stored in said one or more storage locations 

Microsoft's definition would render the claim nonsensical, since it would require 
a comparison involving information that is no longer available for the comparison. 

generates an indication based on the result of said comparison 

Microsoft's definition improperly requires that only two results be possible and 
that the indication is based solely on the result of the "compares" step. 

programming which takes one or more actions based on the state of said indication 

The Microsoft definition improperly requires executable programming, that the 
programming not be part of the host processing environment, that the programming must 
take an action regardless of the indicator state and that the action must be based solely on 
the state of the indication, 

at least temporarily halting further processing 

Microsoft's definition improperly requires that the host processing environment 
and all processes running in it be halted. 

912.8 

identifying at least one aspect of an execution space required for use and/or 
execution of the load module 

The Microsoft definition improperly requires that'the identifier "define fully, 
without reference to any other information." 

said execution space identifier provides the capability for distinguishing between 
execution spaces providing a higher level of security and execution spaces providing 
a lower level of security 

The Microsoft definition improperly requires that the execution space identifier 
provides the load module with the ability to determine a level of security, and the 
presence of two higher and two lower levels of security. 

checking said record for validity prior to performing said executing step 



The Microsoft definition improperly requires that the record be checked before 
execution of any identified information, that evaluation occur within a VDE Secure 
Processing Environment, and that specific types of information be checked. 

912.35 

received in a secure container 

The Microsoft definition improperly requires "encapsulation" in a secure 
container, authentication in accordance with VDE controls and acceptance of the secured 
container. 

said component assembly allowing access to or use of specified information 

The Microsoft definition improperly requires that the component assembly 
operate by itself, that it execute in a VDE Secure Processing Environment and that the 
component assembly be dedicated to specific information. The Microsoft definition 
ignores embodiments describing alternative control structures and improperly 
distinguishes access and use. 

said first component assembly specified by said first record 

The first paragraph of Microsoft's definition defines this term in a restrictive 
manner with no support in the claim. Microsoft's second paragraph is devoted to a non- 
existent inconsistency created by Microsoft's restrictive definition. 

Claims as a Whole: 

In every case, Microsoft requires the system be a VDE or the method be 
performed in a VDE. This requirement is not supported by the language of any of the 
claims. 

Global Construction 

The language of the individual claims contains nothing to support the large 
number of restrictions imposed by Microsoft's "global construction." Those restrictions 
are unsupported by and in many cases contradicted by the specification. 

2. Digital Rights Management in general. Dr. Reiter will testify regarding Digital 
Rights Management technology, including encryption and tamper-resistance techniques. 
The nature and extent of such testimony will depend on the Court's decision as to the 
scope and format of tutorial presentations. 

3. LnterTrust's patents and patent claims. Dr. Reiter will testify regarding the 
general nature of the InterTrust patents, and will summarize the claims at issue in the 
initial Joint Claim Construction hearing. The nature of that testimony will depend on the 




Court's decision as to ordering and format of testimony, but will be consistent with the 
testimony outlined above regarding claim terms and phrases. 
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Summary of Opinions of Professor John Mitchell 

In Support of Microsoft's Proposed Claim Constructions 

1. In the field of computer security, terms such as "secure," "protect," and "tamper 
resistance" are understood differently depending on the particular context in which they are 
used. They have such a range of possible meanings that context is essential to understanding 
what these terms mean in a given instance. The same is true for terms like "govern" and 
"control" when they are used to describe computer systems or access to information. 

A person skilled in the computer security field would not expect to use a dictionary to 
understand what these terms mean in a given context; rather, he or she would expect to review 
the particular reference or system in question to see what adversarial events or attacks are 
being defended against Generally speaking, dictionary "definitions" are not sufficient for 
understanding how these terms are meant in a particular case. A number of terms and phrases 
used in the February 1995 application (such as "VDE," "PPE," and "secure container") are 
also not likely to be found in dictionaries. 

2. The February 1995 application (which is sometimes referred to as the "Big Book") 
never clearly explains what it means by "security." It would not be clear to someone of 
average skill in the field what "secure" means in that application ~ for example, with regard 
to systems, system components, information, or processes. The same is true for such terms 
as "protected" and "tamper resistant." 

3. If a reasonably skillful computer security professional were to presume that "secure" 
has all of the attributes that are promised in the February 1995 application, then "secure" 
requires a guarantee of secrecy, authenticity, integrity, nonrepudiation, and availability, 
against all security threats identified in that application other than excessively costly brute 
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force attacks. (What constitutes excessive cost in this context is not clearly explained). 
Again taking the February 1995 application's promises for context, 'tamper resistance" 
requires that some barrier is in place which prevents access to or alteration of information in 
an unauthorized manner. The terms "secure" and "security", and additional terms such as 
"secure container," "control," "govern " "protect," "protected processing environment," "host 
processing environment" and 'Virtual distribution environment," would be understood, to the 
extent possible, as set forth in Microsoft's PLR 4-2 Statement, as opposed to the definitions 
listed in InterTrust* s PLR 4-2 Statement 

4. Professor Mitchell will explain the qualifications of a person of reasonable skill in the 
computer security field, including as of February 13, 1995, and explain how cited references 
(such as U.S. Patent 5,634,012 to Stefik et al., U.S. Patents 4,868,877 and 5337,360 to 
Fischer, Choudhury et al.'s "Copyright Protection for Electronic Publishing over Computer 
Networks," U.S. Patent 4,658,093 to Hellman, and Mori et al.'s "Superdistribution: The 
Concept and Architecture" (Transactions of the IECE 1990)) would influence such a person's 
understanding of the InterTrust disclosure. He may also address the substance of additional 
references published or created before February 13, 1995, not cited in the InterTrust patents. 

5. The specifications of the '721, 4 900, and '861 patents do not resolve any of these 
problems with, the Big Book application. 
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Summary of Opinions of Professor David Maier 

In Support of Microsoft's Proposed Claim Constructions 

1. The specification of U.S. Patent No. 6,253,193 C*the 1 193 patent") describes several 
mandatory features of the Virtual Distribution Environment ("VDE") architecture, including: 

• the creation of a comprehensive data security and commerce world; 

• the ability to handle all types of digital works independent of computing platform, 
making it a single, general purpose solution in contrast to multiple, limited purpose 
solutions; 

• flexible control mechanisms that can be applied to any granularity of content; 

• control mechanisms that are configurable by any user, not just the system designers or 
content providers; and 

• isolation of the system programs and protected works from the non-VDE world, 
preventing observation, alteration, interference, or removal from the VDE, except as 
permitted by the VDE control mechanisms. 

This does not mean that the capabilities of the Virtual Distribution Environment can be 
achieved, only that these are features that the '193 patent makes clear a VDE must have. 

2. The specification of the 6 193 patent describes a system that requires several 
architectural elements including at least the following: 

• VDE Foundation Hardware and Software - installed throughout an infrastructure of 
interlinked computing devices; 

• The VDE "Secure Container'* - a mechanism for packaging protected works, control 
information, and administrative information; and 
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• The VDE "Control" - a mechanism for defining the regimen for using protected 
information that is inside a secure container. 

3. Professor Maier will describe the background of a person of ordinary skill in the art. 
Such a person would understand the claims in light of the required capabilities and 
architectural features above. 

4. The specification set forth in the 4 193 patent has numerous inconsistencies in its 
terminology. Some inconsistencies concern the data hierarchy (e.g. f methods, control 
information, component assemblies). Other examples include the description of a non-secure 
host event processing environment and the concept of containment. 

The following further summarizes Professor Maier's opinions. 

I. EXPLANATION OF U.S. PATENT NO. 6.253.193 

A. Asserted Capabilities of the Virtual Distribution Environment 

The '193 Patent describes a system that is asserted to be the first universal, distributed 
processing system for persistently controlling digital information. This system was given 
the name "Virtual Distribution Environment" or "VDE". As described in the Patent, VDE 
promised at least the following mandatory features: 

1 . the creation of a comprehensive data security and commerce world; 

2. the ability to handle all types of digital works independent of computing platform, 
making it a single, general purpose solution in contrast to multiple, limited solutions; 

3. flexible control mechanisms that can be applied to any granularity of content; 
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4. control mechanisms that arc configurable by any user, not just the system designers 
or content providers; and 

5. isolation of the system programs and protected works from the non-VDE world, 
preventing observation, interference, or removal from the VISE, except as permitted 
by the VDE control mechanisms. 

Although these features are promised by the 4 193 Patent, this does not mean that they are 
necessarily achievable. 

1. Comprehensive Data Security and Commerce World 

According to the 4 193 Patent, VDE is described as being the only comprehensive 
solution in a world of limited solutions. VDE is described as an end-to-end solution for 
digital works that guarantees the authenticity, confidentiality and integrity of the works 
and the VDE mechanisms. These protections are promised to be effective against any 
unauthorized activity by a third party (i.e. a user other than the creator of the work) that 
has physical possession of the computing hardware and wishes to circumvent the 
protections. 

VDE must provide the ability to control the distribution and usage of digital works as 
well as tracking, reporting, auditing and handling payment for the distribution and usage. 
Additionally, VDE must support multiple business models simultaneously, for example, 
time-based and volume-based charging for the same digital work or licensing digital 
works with or without added sub-licensing rights. 

Only those systems that are members of the electronic commerce world can participate 
in VDE commerce transactions. Consequently, all transactions must occur between 
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member systems since there is no way to control digital works that are outside the 
boundaries of the VDE world. 

2. General Purpose 

According to the '193 Patent the VDE system is the only rights management solution 
needed by its users because it is capable of handling and protecting all types of digital 
works, such as digital audio, digital video, software, digital cash, digital documents, 
electronic publications, etc. within a single rights management framework, whereas 
previous systems handled only limited subsets of information types. It further states that 
VDE can function within all types of electronic devices, from smart cards, pagers and 
telephones to supercomputers. 

3. Flexible 

According to the '193 Patent, the VDE system can manage protected works in 
arbitrarily sized data chunks, down to the smallest atomic element. The Patent 
distinguished prior art systems that used access controls that were limited to the file level 
or resource level. The VDE system is described as being able to meter, track, bill and 
audit the usage of these arbitrary data chunks in addition to controlling the access to those 
data chunks. For example, a consumer can be charged by the number of bytes 
downloaded or by the number of paragraphs printed. Additionally, each of these actions 
can be specified independently, such that two objects can be metered differently, but 
billed identically. 
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This flexibility allows two different users to be charged at different rates, for different 
granularities, and in different currencies for using the same digital work. The *193 Patent 
distinguished prior ait systems that lacked this flexibility. 

4. Controls Configurable by All Users 

According to the *193 Patent, the VDE system protects a digital work from the instant 
it is placed under VDE control subject to the permissions provided by the object creator 
(or rights holder) at the same or at another VDE "secure node." (The nature of the "secure 
node" is discussed later.) From that moment, the digital work becomes encapsulated 
within a VDE container. Then, the creator must grant permissions for accessing and 
distributing the digital work within the VDE object as well as identify how the object can 
be handled by other users of the VDE world. 

These other users can create additional VDE-based controls for this protected work. 
In general, these controls only impose additional restrictions on the VDE object because 
they cannot conflict with the creator's VDE controls (except in the limited case in which 
the creator allows his controls to be modified by other users.) Even the end user is 
permitted to add VDE controls to VDE objects that he has received. 

VDE controls are said to be persistent in that become permanently associated with the 
protected work once they are received, and they cannot be removed or deleted except as 
permitted by so-called "senior" VDE controls. 

5. System Isolation 

According to the '193 Patent, VDE protected works can only be accessed using VDE- 
certified foundation hardware and software. As a fundamental requirement, the VDE 
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foundation must isolate the internal workings of the system from the user because the user 
is not trusted. 

Each computing device in the VDE world constitutes a "secure node" that must 
provide a "protected processing environment" (PPE) composed of VDE-certified 
foundation hardware and software. Sensitive materials such as protected works, 
administrative information, control information, and VDE software components, are 
passed between the protected processing environments of secure nodes inside "secure 
containers" that shield the materials from outside observation and alteration while in 
transit or in storage. The PPE must also shield all processing of the materials inside the 
PPE and also prevent the materials or process state information from "leaving" the VDE 
except as authorized by VDE control information. If the system fails to keep a protected 
work secret, then it can be distributed freely from that point onward. If the system fails to 
prevent alteration, then the consumer may receive invalid information (e.g., a bad stock 
quote), the consumer may receive less value than that for which he bargained (e.g., digital 
cash token that has been devalued), or the consumer's computer may be damaged by 
malicious code (e.g., virus-infected software), just to name a few examples. If the system 
fails to prevent the materials or process state information from leaving, then it can be 
moved to a system outside the VDE control regime for examination, manipulation, 
replication, or analysis. 

Electronic devices outside the VDE world do not incorporate the VDE foundation, and 
hence are not constrained by VDE protocols. Thus, protected works are not permitted to 
be in clear text form outside of the isolated and rigidly controlled protected processing 
environment. 
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To guarantee the isolation and integrity of the PPE, the VDE foundation software 
itself must be protected by storing it in a location that is inaccessible to the user or by 
encrypting it when it is stored at a location that can be observed by the user. 

B. VDE Core Architecture 

According to the *193 Patent, three constituent building blocks are necessary to 
implement die VDE world: 

1 . VDE Foundation Hardware and Software - installed throughout an 
infrastructure of interlinked computing devices, each of which is called a 
"secure node"; 

2. The VDE "Secure Container" - a mechanism for packaging protected works, 
control information, and administrative information; and 

3. The VDE "Control" - a mechanism for defining the regimen for using 
protected information that is inside a secure container. 

Both controls and protected works are transferred between secure nodes by means of the 
secure container mechanism. Secure containers can be opened (and the protected works 
used) only within the protected processing environment of a secure node by executing 
VDE controls that regulate and track such activity. 

The proper combination of these three building blocks isolates internal processing 
from the untrusted user (by creating an unbypassable foundation of hardware and 
software); isolates protected works from the untrusted user (by placing them in a shielded 
data structure); and provides a control mechanism that will allow the untrusted user to 
make use of the protected works only under controlled conditions. 
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1. VDE Foundation Hardware/Software 

The VDE foundation hardware and software must ensure that the competing interests 
of both the owner and user of protected works are respected. The owner has an interest in 
controlling the distribution of his digital works and in compelling the reporting and 
payment for such use. The user has an interest in the control of his computing device, his 
privacy, and the availability of digital works for which he has paid. 

The VDE foundation hardware and software must provide a sequestered venue in 
which external authority dominates the user's local authority in the control of information 
and processing. This VDE foundation hardware and software is the basis for any VDE 
installation on a device 

A VDE secure node is a device that provides a VDE installation incorporating VDE 
foundation hardware and software as the base stratum on which all VDE functions are 
executed. In any secure node where protected works are used or where VDE control 
information is created or modified, a VDE secure subsystem core must be present. This 
core is enclosed by a 44 tamper resistant security barrier" that prevents observation of, 
interference with, and leaving of information and processes except as authorized by VDE 
control information. 

This VDE secure subsystem core handles encrypting and decrypting data and code, 
storing control and metering information, managing secure communication with other 
VDE secure subsystem cores at other secure nodes, dynamically assembling and 
executing VDE control procedures, and updating control information for protected works. 
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Control procedures for the promised permission checking, metering, billing, and budget 
management features all execute within the VDE secure subsystem core. 

The VDE foundation hardware and software must guarantee that control procedures 
triggered by user or system events are executed correctly and completely in the VDE 
secure subsystem core. Both correctness and completeness are necessary to preserve the 
integrity of VDE control regime. Failure can compromise the rights, privacy, or financial 
interests of the owner or user of the protected works. 

According to the c 193 Patent, these functions are provided and enforced by a secure 
processing unit (SPU) that is protected by a special purpose physical enclosure (the 
tamper resistant security barrier) that conceals the underlying VDE processing from 
observation or interference by external persons or processes, and that destroys information 
rather than allow the information to leave the VDE subsystem core via unauthorized 
means. 

The * 193 Patent suggests that a tamper resistant security barrier might be simulated 
solely in software by using several known software techniques, but it gives no specific 
direction as to how these techniques can be applied to achieve the guarantees required by 
the VDE secure subsystem core in an environment that is under the control of an untrusted 
user. 

2. VDE Secure Containers 

An invariant requirement of the VDE container concept is that no access or use can be 
made of the protected works within a VDE container except as regulated by associated 
VDE control information. This associated control information can be provided in the 
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same secure container that holds the protected works or it can be provided independently 
in a separate secure container. 

In addition to the protected works included within a secure container, there can be 
references to other digital works stored external to the container. However, the container 
cannot regulate other access or usage to these externally stored digital works. 
("Containment" is discussed further is Section IV. D.) 

VDE secure containers can contain administrative information, such as auditing, 
tracking, and billing requests and reports. 

The internal structure of a VDE secure container must be able to store independently 
manageable digital works. Subsections of a VDE secure container can be encrypted by 
different keys, including subdivisions of a single digital work. 

The internal structure of a VDE secure container must be able to store other VDE 
secure containers nested inside it. Each nested container is subject to its own independent 
control information. Control information corresponding to the outer container may not 
override more restrictive control information that corresponds to a secure container nested 
within it. 

The VDE secure container supports modification of its contents and its control 
information subject to the current corresponding control information. 

Because of this capability, a VDE secure container may be empty in the sense that it 
*does not contain a digital work while it does contain control information that identifies the 
digital work that can be added to the secure container. Thus, a VDE secure container can 
be used as a mobile agent to retrieve digital works from remote locations. 
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3. VDE Controls 

According to the '193 Patent, the configurability and flexibility of the VDE system 
arises jointly from the modular and independently selectable nature of control information 
and the dynamic construction and execution of control procedures within the VDE secure 
subsystem of a computing device. As used herein, the VDE secure subsystem refers to the 
VDE foundation hardware and software residing within the tamper resistant security 
barrier. 

VDE controls are executable procedures constructed by the VDE foundation as a 
response to a request to access or use a specific protected work. The control is 
constructed inside the VDE secure subsystem using VDE control information. VDE 
control information is composed of executable code, rule information that is enforced by 
the executable code, and blueprint instructions for constructing the executable control. 
The VDE secure subsystem guarantees that the control procedure is constructed according 
to the blueprint instructions and that the components used in the construction are authentic 
as to source, identity, and data integrity. 

All use of protected works is regulated by corresponding control information that is 
used to construct each executable control procedure. Different control procedures can 
regulate auditing, billing, metering, tracking and usage events (such as printing, rendering, 
copying, etc.) with respect to individual users for a single instance of a protected work. 
These events cannot occur except as regulated by the execution of the individual control 
procedures. Additionally, these control procedures can be applied at arbitrarily fine levels 
of granularity, such as charging for the number of bytes read. 
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Any VDE user can define control procedures to the extent permitted by senior VDE 
control information. 

Control information is deliverable independent of the protected work. Individual 
portions of control information are deliverable independent of each other. Control 
information made by added, modified, or replaced over time to the extent permitted by 
earlier control information. Because independent control information for any given 
instance of a protected work can be created by different sources at different locations and 
different times, the control information from these sources can be in conflict. VDE must 
supply a means for resolving these conflicts. According to the '193 Patent, the executable 
controls negotiate to determine the conditions under which a protected work may be used. 
Thus, controls are said to "evolve" over time. 

Once delivered to a VDE node with the corresponding protected work, control 
information persists throughout the life of the protected work. 

The VDE controls must support a broad range of control regimes, all of which can co- 
exist on a single VDE secure node. 

Dynamic assembly and execution of a VDE control must occur within the VDE secure 
subsystem. Construction of a VDE control from its component parts in a non-VDE 
system allows unconstrained access to digital works. Thus, VDE control information is 
transmitted between secure nodes using VDE secure containers and stored at VDE nodes 
in encrypted form whenever outside the VDE secure subsystem. 

Executable control procedures are constructed from load modules, data, and VDE 
methods. These control procedures are assembled and executed in response to user and 
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system events. According to some statements in the '193 Patent, a "component assembly" 
is a VDE control procedure. 

C. Claim Interpretation 

A person of ordinary skill in the art would understand the claims of the ' 193 Patent in 
light of the mandatory capabilities and architectural components described above. 

D. Summary of Internal Inconsistencies. 

The '193 Patent contains numerous internal inconsistencies. Examples of these 
inconsistencies are given below. 

1 . Use of Quotations 

Hundreds of terms are set off in quotations throughout the specification. These terms 
include: detail description, virtual distribution environment, electronic highway, VDE 
aware, content, virtual, things, chain of handling and control, rules and controls, CD 
ROM, information utility, switch, transaction processor, usage analyst, operating system, 
method, budget, atomic, firmware, hash bucket, peripheral device, event-based, multi- 
threaded, locking, Remote Procedure Call, two-phase commit, and read only. Some of 
these terms are coined (such as VDE aware; rules and controls; and usage analyst) while 
many are well known computer concepts (such as operating system and Remote 
Procedure Call.). 

In many cases, it is unclear whether any particular use of quotation marks was 
intended to introduce a coined term, to indicate figurative or metaphorical usage of a term, 
to indicate non-standard or a weakened usage of a term, or something else 
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2. System Availability 

In the Absract, the '193 Patent asserts that 4l the invention . . . maintains] the integrity, 
availability, and/or confidentiality" of protected works. However, the system described 
does not appear to be designed to guarantee the availability of protected works. Rather, 
any deviation from the expected processing sequence is considered to be evidence of an 
attempt to crack the system or steal the protected works. In response, the system is likely 
to halt all processing until a trusted VDE administrator intervenes and resets the system. 
Additionally, the '193 Patent uses denial of service to enforce reporting obligations 
imposed by a rights holder. This practice is not consistent with preserving availability of 
digital works. 

3* "Container" vs. "Object" 

There is no consistent delineation in the 4 193 Patent between the terms "container" 
and "object." Initially, there appears to be a distinction in that the container is a shell data 
structure that is encapsulating data and the object is the combination of the container data 
structure and the encapsulated data. See Fig. 5 A. Elsewhere, this distinction is blurred by 
the use of such phrases as: 

"secure object (content container)"; 

"VDE content container is an object"; and 

"VDE container (object)", 

which appear to make container and object synonymous. 
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4. The Property of Being "Contained" 

In the '193 Patent, there is no clear definition for the term "contain" The '193 patent 
states at one point that a container such as "container 302 may 'contain' items without 
those items actually being stored in the container." This definition of "contain" to include 
"referencing" is not customary in information storage terminology. 

Subsequent examples in the 4 193 indicate that "contain" and "reference" are distinct 
relationships. For example, "may contain or reference" is used numerous times such as in 
"Load modules 1 100 may contain or reference other load modules." and as in "Container 
300y may contain and/or reference " 

5. Inconsistent Data Structure Hierarchy 

The hierarchy and relationships amongst rules, controls, methods, load modules, 
control information, and other data structures is inconsistent. 

a) "Rules and Controls" vs. "Control Information" 

The term "control information" is defined in the "Background and Summary of the 
Invention" of the '193 Patent as: . . load modules, associated data and methods . . 

Later, the specification uses the phrase *' 'rules and controls* (control information)" as if 
the phrases "control information" and "rules and controls" are synonymous. Further, it 
states that "rules and controls" can be in the form of: "a 'permissions record* 808; 
'budgets' 308 and 'other methods* 1000", but makes no mention of load modules. 

Subsequent uses of "control information" such as: ". . . other aspects of the information to 
be contained within the object (e.g., rules and control information, identifying 
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information, etc.)"; and "the user may specify permissions, rules and/or control 
information." indicate that rules are different and distinct from control information. 

b) "Component Assembly 9 ' vs. "Control Information" 

In the '193 Patent, the relationship between component assembly and control 
information in the data hierarchy is defined inconsistently. Contrast the statement: 

"In this example control information may include one or more component assemblies 
that describe the articles within such a container (e.g. one or more event methods 
referencing map tables and/or algorithms that describe the extent of each article)." 

with: 

". . . control information (typically a collection of methods related to one another by 
one or more permissions records, including any method defining variables) . . 
[italics in original] 

"This "channel 0" "open channel" task may then issue a series of requests to secure 
database manager 566 to obtain the "blueprint" for constructing one or more 
component assemblies 690 to be associated with channel 594 (block 1 127). In the 
preferred embodiment, this "blueprint" may comprise a PERC 808 and/or URT 464/ 

In one case, the component assembly is a part of control information, but in the other 
case, control information is separable from and describes how to build a component 
assemblies. 
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c) 'Budgets" 

According to the '193 Patent, "budgets" are a special type of "method". Methods are 
defined as containing, among other things, "User Data Elements". Elsewhere, budgets are 
cited as a common type of User Data Element. This inconsistency creates confusion as to 
whether any given use of the term "budget" refers to an executable method or a non- 
executable data structure. 

6. "Load Module" 

According to the '193 Patent, executable code is provided in the form of '"atomic* 
load modules", presumably meaning that they are the smallest unit of executable code. 
Later, however, load modules are sub-dividable into smaller load modules, which is 
inconsistent with atomicity. 

7. The "Non-Secure" "Protected Processing Environment" 

According to the * 193 Patent, a necessary feature of a VDE computer is the "protected 
processing environment" or "PPE". Secure Event Processing Environments ("SPE"), in 
which all sensitive processing is handled inside a hardware device called a Secure 
Processing Unit ("SPIT) are stated as being one type of PPE. Host Event Processing 
Environments ("HPE") are also said to be a type of PPE. The HPE classification is further 
described as having two sub-types: secure and non-secure. Additionally, the specification 
defines the three abbreviations as synonymous and interchangeable starting at column 103 
of the specification, unless the context of any given passage indicates otherwise. 
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Further, no criteria are provided for distinguishing between a "secure HPE" and a 
"non-secure HPE". Thus, it is not possible to reconcile the "non-secure HPE" as a secure 
operating environment or protected processing environment 
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